Details
-
Type:
Bug
-
Status:
Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 6.1.14
-
Fix Version/s: 6.1.15.rc4
-
Component/s: Security and SSL
-
Labels:None
-
Environment:Jetty with Apache 2.2, mod_proxy_ajp, mod_ssl.
-
Patch Submitted:Yes
-
Number of attachments :
Description
I'm upgrading from Jetty 5.1.14 to Jetty 6.1.14 and getting an UnsupportedOperationException from any URL that requires SSL in my war file's web.xml using a CONFIDENTIAL constraint.
Stack trace:
java.lang.UnsupportedOperationException
at org.mortbay.jetty.ajp.Ajp13SocketConnector.isConfidential(Ajp13SocketConnector.java:86)
at org.mortbay.jetty.security.SecurityHandler.check(SecurityHandler.java:388)
at org.mortbay.jetty.security.SecurityHandler.checkSecurityConstraints(SecurityHandler.java:269)
at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:191)
at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181)
at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:766)
at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:417)
at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:230)
at org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114)
at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
at org.mortbay.jetty.Server.handle(Server.java:324)
at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:534)
at org.mortbay.jetty.ajp.Ajp13Connection.access$2800(Ajp13Connection.java:44)
at org.mortbay.jetty.ajp.Ajp13Connection$RequestHandler.headerComplete(Ajp13Connection.java:232)
at org.mortbay.jetty.ajp.Ajp13Parser.parseNext(Ajp13Parser.java:498)
at org.mortbay.jetty.ajp.Ajp13Parser.parseAvailable(Ajp13Parser.java:151)
at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:403)
at org.mortbay.jetty.bio.SocketConnector$Connection.run(SocketConnector.java:228)
at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:522)
web.xml fragment:
<security-constraint>
<web-resource-collection>
<web-resource-name>Management Application</web-resource-name>
<description>Management Application</description>
<url-pattern>/mgr</url-pattern>
</web-resource-collection>
<user-data-constraint>
<description>SSL required</description>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
I've attached a patch that moves the "sslSecure" flag from Ajp13Connection to Ajp13Request so it easy to access from the Ajp13SocketConnector when checking CONFIDENTIAL and INTEGRAL constraints. Also, cleared _remoteUser in Ajp13Request.recycle().
As far as I can tell in local testing, the patch appears to fix the issue: Jetty correctly determines whether the incoming request was HTTP or HTTPS and redirects HTTP->HTTPS if necessary, no exception is thrown.
Shawn,
thanks for the patch. Note that we are in the process of tightening up our handling of IP handling, so can you attach a comment that says your contribution is in accordance with our CLA:
https://svn.codehaus.org/jetty/jetty/branches/jetty-6.1/LICENSES/cla-template.txt
thanks