Mantis - Resin
Viewing Issue Advanced Details
157 minor always 05-11-05 00:00 11-30-05 14:44
david@eyefinity.com  
 
normal  
closed  
fixed  
none    
none 3.0.14  
0000157: <security-constraint> fails when url has query string
RSN-155
With the following config settings:

<host host-name="www.hogwarts.com" secure-host-name="secure.hogwarts.com">
...
</host>
<web-app-default>
  <security-constraint>
    <web-resource-collection>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint transport-guarantee="CONFIDENTIAL"/>
  </security-constraint>
</web-app-default>

Intended to force all users into HTTPS mode, the automatic redirect fails if the URL has a query string on it. In this scenario, navigating to "http://www.hogwarts.com?test=foobar" [^] sends you to "https://secure.hogwarts.comtest=foobar". [^] This results in a 404 NOT FOUND since the question mark has been stripped.
Win XP, Win2k

Notes
(0000186)
david@eyefinity.com   
05-11-05 00:00   
--- TransportConstraint.java.orig Sat Mar 5 12:17:00 2005
+++ TransportConstraint.java Wed May 11 15:03:32 2005
@@ -90,7 +90,7 @@
       if (request.getPathInfo() != null)
     url += request.getPathInfo();
       if (request.getQueryString() != null)
- url += request.getQueryString();
+ url += "?" + request.getQueryString();
 
       response.sendRedirect(url);
       return false;
(0000187)
ferg   
05-11-05 00:00   
server/12h0