0000157: <security-constraint> fails when url has query string

Viewing Issue Simple Details [ Jump to Notes ]

[ View Advanced ] [ Issue History ] [ Print ]

Category

Severity

Reproducibility

Date Submitted

Last Update

0000157

[Resin]

minor

always

05-11-05 00:00

11-30-05 14:44

Reporter

user142

View Status

public

Assigned To

Priority

normal

Resolution

fixed

Status

closed

Product Version

Summary

0000157: <security-constraint> fails when url has query string

Description

RSN-155
With the following config settings:

<host host-name="www.hogwarts.com" secure-host-name="secure.hogwarts.com">
...
</host>
<web-app-default>
  <security-constraint>
    <web-resource-collection>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint transport-guarantee="CONFIDENTIAL"/>
  </security-constraint>
</web-app-default>

Intended to force all users into HTTPS mode, the automatic redirect fails if the URL has a query string on it. In this scenario, navigating to "http://www.hogwarts.com?test=foobar" [^] sends you to "https://secure.hogwarts.comtest=foobar". [^] This results in a 404 NOT FOUND since the question mark has been stripped.

Additional Information

Win XP, Win2k

Attached Files

Relationships

Notes
(0000186) user142 05-11-05 00:00	--- TransportConstraint.java.orig Sat Mar 5 12:17:00 2005 +++ TransportConstraint.java Wed May 11 15:03:32 2005 @@ -90,7 +90,7 @@ if (request.getPathInfo() != null) url += request.getPathInfo(); if (request.getQueryString() != null) - url += request.getQueryString(); + url += "?" + request.getQueryString(); response.sendRedirect(url); return false;

(0000187) ferg 05-11-05 00:00	server/12h0

Issue History
Date Modified	Username	Field	Change
05-11-05 00:00	user142	New Issue
11-30-05 00:00	administrator	Fixed in Version	=> 3.0.14
11-30-05 14:44	ferg	Status	resolved => closed

Mantis 1.0.0rc3[^]

36 total queries executed.
28 unique queries executed.