Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 430285

Summary: Root path don't not work behind URL rewriting proxy
Product: [RT] RAP Reporter: Ralf Sternberg <rsternberg>
Component: RWTAssignee: Project Inbox <rap-inbox>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: P3 CC: mknauer
Version: 2.3   
Target Milestone: 2.3 M3   
Hardware: PC   
OS: Linux   
Whiteboard:

Description Ralf Sternberg CLA 2014-03-13 09:54:28 EDT 
The startup JSON contains a URL for the client to connect to. Normally, this is a relative URL. However, for entrypoints registered at the root path, the server returns an absolute URL in this field. Absolute URLs prevent URL rewriting.

This problem can only be reproduced when the browser does not send a JSESSIONID cookie.
Comment 1 Ralf Sternberg CLA 2014-03-13 10:04:47 EDT 
This issue is caused by the use of HttpServletResponse.encodeURL() in StartupJson.getUrl().

At least in tomcat, this method returns an absolute URL when called with "".

Regardless of this issue, I wonder if it's correct to use this encodeURL() in StartupJson.getUrl() at all. This method is used to append the session id (URL rewriting) in case the client does not appear to support cookies. Since the initial request runs in it's own temporary UISession, there is no reason to enforce the UI requests to use the same HTTPSession.
Comment 2 Ralf Sternberg CLA 2014-03-18 05:36:37 EDT 
> At least in tomcat, this method returns an absolute URL when called with "".

From org.apache.catalina.connector.Response, encodeURL:

    // W3c spec clearly said 
    if (url.equalsIgnoreCase("")){
        url = absolute;
    }

I see two possible workarounds:

a) replace the empty string with "./" before passing it to encodeUrl()

- When the servlet path is "" we know that it's the root path, so "./" should should be correct. Looks like a clean and safe solution to me.

b) remove everything up to the last slash from the URL returned by encodeUrl()

- This would fail if the session id contains a slash.

> Regardless of this issue, I wonder if it's correct to use this encodeURL() in
> StartupJson.getUrl() at all...

On a closer look, encodeUrl() is still required for URL rewriting support, i.e. cases where either client or server has cookies turned off.
Since every POST request is made to the URL that is included in the startup JSON, the jsessionid must be included in this URL.
Comment 3 Ivan Furnadjiev CLA 2014-03-24 06:12:57 EDT 
(In reply to comment #2)
> I see two possible workarounds:
> 
> a) replace the empty string with "./" before passing it to encodeUrl()
> 
> - When the servlet path is "" we know that it's the root path, so "./" should
> should be correct. Looks like a clean and safe solution to me.
> 
> b) remove everything up to the last slash from the URL returned by encodeUrl()
> 
> - This would fail if the session id contains a slash.

I think that the first suggestion is safer. I'm voting for it.
Comment 4 Ralf Sternberg CLA 2014-03-26 17:13:58 EDT 
Implemented the change in https://git.eclipse.org/r/#/c/23938/. Tested with tomcat 7.0, when there is a jsessionid cookie, the message head is {"url":"./"}, when the cookie is not present, its {"url":"./;jsessionid=AFE65FE7A8944E0272CE9AE9D4464DAE"}.