Mantis Bugtracker
  

Viewing Issue Simple Details Jump to Notes ] View Advanced ] Issue History ] Print ]
ID Category Severity Reproducibility Date Submitted Last Update
0000157 [Resin] minor always 05-11-05 00:00 11-30-05 14:44
Reporter david@eyefinity.com View Status public  
Assigned To
Priority normal Resolution fixed  
Status closed   Product Version
Summary 0000157: <security-constraint> fails when url has query string
Description RSN-155
With the following config settings:

<host host-name="www.hogwarts.com" secure-host-name="secure.hogwarts.com">
...
</host>
<web-app-default>
  <security-constraint>
    <web-resource-collection>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint transport-guarantee="CONFIDENTIAL"/>
  </security-constraint>
</web-app-default>

Intended to force all users into HTTPS mode, the automatic redirect fails if the URL has a query string on it. In this scenario, navigating to "http://www.hogwarts.com?test=foobar" [^] sends you to "https://secure.hogwarts.comtest=foobar". [^] This results in a 404 NOT FOUND since the question mark has been stripped.
Additional Information Win XP, Win2k
Attached Files

- Relationships

- Notes
(0000186)
david@eyefinity.com
05-11-05 00:00

--- TransportConstraint.java.orig Sat Mar 5 12:17:00 2005
+++ TransportConstraint.java Wed May 11 15:03:32 2005
@@ -90,7 +90,7 @@
       if (request.getPathInfo() != null)
     url += request.getPathInfo();
       if (request.getQueryString() != null)
- url += request.getQueryString();
+ url += "?" + request.getQueryString();
 
       response.sendRedirect(url);
       return false;
 
(0000187)
ferg
05-11-05 00:00

server/12h0
 

- Issue History
Date Modified Username Field Change
05-11-05 00:00 david@eyefinity.com New Issue
11-30-05 00:00 administrator Fixed in Version  => 3.0.14
11-30-05 14:44 ferg Status resolved => closed


Mantis 1.0.0rc3[^]
Copyright © 2000 - 2005 Mantis Group
30 total queries executed.
28 unique queries executed.
Powered by Mantis Bugtracker