[jetty-users] Issue with upgrading to Jetty 9.4.11

Discussion:

Eze Ikonne

2018-10-10 17:36:34 UTC

Hi all,

I just would like to report that I am making some progress on upgrading Jetty 7 to Jetty 9.4.11, I will share the things that I have learned once the effort is completed. However, I am now stuck because, for some reason, Jetty 9.4.11 is returning a non-secure uri when it supposed to return secure uri back to the browsers. My question is this, how do I indicate to Jetty 9.4.11 to return a secure redirection uri instead of non-secure? Or, how does Jetty 9.4.11 determine how to redirect to secure instead of non secure uri? Please see the debug information generated by my jetty 9.4.11 below. I am almost there towards the completion of this effort. As you can see, it is returning a non secure uri for the location header attribute. My embedded Jetty 7 correctly returns secure uri for the location header attribute.

Thanks,

Ike

2018-10-10 12:28:36,691 [qtp958678400-48] DEBUG HttpChannel - sendResponse info=null content=***@5639ad7d[p=0,l=0,c=0,r=0]={<<<>>>} complete=true committing=true callback=***@2afcfd94{null}
2018-10-10 12:28:36,691 [qtp958678400-48] DEBUG HttpChannel - COMMIT for /SSPDashboard/faces/logon.jsp;jsessionid=ycrx3afb3zghqc1kn4la5oc2g3v0itdceogh1seg5lll8p9gg.node0 on ***@4420504a{r=1,c=true,a=DISPATCHED,uri=//10.xxx.xxx.xxx:7777/SSPDashboard/faces/logon.jsp;jsessionid=ycrx3afb3zghqc1kn4la5oc2g3v0itdceogh1seg5lll8p9gg.node0,age=771}
302 null HTTP/1.1
X-Frame-Options: SAMEORIGIN
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Strict-Transport-Security: max-age=31536000
Set-Cookie: JSESSIONID=jzf3myxmxspuzsjnqj1mhn99stt66j3ref0162afecyid5ux.node0;Path=/SSPDashboard;Secure;HttpOnly
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Location: http://10.xxx.xxx.xxx:7777/SSPDashboard/faces/configuration.jsp
=====================================================
Please refer to http://www.aricent.com/email-disclaimer
for important disclosures regarding this electronic communication.
=====================================================

Simone Bordet

2018-10-11 10:13:56 UTC

Permalink

Hi,

Post by Eze Ikonne
Hi all,
I just would like to report that I am making some progress on upgrading Jetty 7 to Jetty 9.4.11, I will share the things that I have learned once the effort is completed. However, I am now stuck because, for some reason, Jetty 9.4.11 is returning a non-secure uri when it supposed to return secure uri back to the browsers. My question is this, how do I indicate to Jetty 9.4.11 to return a secure redirection uri instead of non-secure? Or, how does Jetty 9.4.11 determine how to redirect to secure instead of non secure uri? Please see the debug information generated by my jetty 9.4.11 below. I am almost there towards the completion of this effort. As you can see, it is returning a non secure uri for the location header attribute. My embedded Jetty 7 correctly returns secure uri for the location header attribute.

This is done with a SecureRequestCustomizer on the HttpConfiguration.
Are you using it?

--
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.

Eze Ikonne

2018-10-11 15:34:14 UTC

Permalink

Hi all,

Thanks Simone, that is exactly what my problem had been. I believe that this mechanism was introduced in either jetty 8 or jetty 9. Once I added it, everything started working. I think it should be highlighted in the sample examples posted on Jetty website, at the moment there is really no mention of this in most of the examples on jetty website, but it turns out to be a big deal. All this while, it turns out to be new SecureRequestCustomizer() injected into the httpConfiuration. I would like to thank the entire jetty group for their support, Jan and the rest, thanks to you.

Ike

-----Original Message-----
From: jetty-users-***@eclipse.org [mailto:jetty-users-***@eclipse.org] On Behalf Of Simone Bordet
Sent: Thursday, October 11, 2018 5:14 AM
To: JETTY user mailing list <jetty-***@eclipse.org>
Subject: Re: [jetty-users] Issue with upgrading to Jetty 9.4.11

** This mail has been sent from an external source **

Hi,

This is done with a SecureRequestCustomizer on the HttpConfiguration.
Are you using it?

--
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support from the Jetty & CometD experts.
_______________________________________________
jetty-users mailing list
jetty-***@eclipse.org
To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/jetty-users
=====================================================
Please refer to http://www.aricent.com/email-disclaimer
for important disclosures regarding this electronic communication.
=====================================================

Simone Bordet

2018-10-11 20:22:15 UTC

Permalink

Hi,

Post by Eze Ikonne
Hi all,
Thanks Simone, that is exactly what my problem had been. I believe that this mechanism was introduced in either jetty 8 or jetty 9. Once I added it, everything started working. I think it should be highlighted in the sample examples posted on Jetty website, at the moment there is really no mention of this in most of the examples on jetty website, but it turns out to be a big deal. All this while, it turns out to be new SecureRequestCustomizer() injected into the httpConfiuration. I would like to thank the entire jetty group for their support, Jan and the rest, thanks to you.

Please open an issue about this lack of documentation.
There is a reference to SecureRequestCustomizer at
https://www.eclipse.org/jetty/documentation/9.4.x/configuring-connectors.html#jetty-connectors,
but it may be expanded.
Consider to propose a pull request with the updated documentation, we
will appreciate it.
Thanks!

--
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.