Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ExternalContextImpl.encodeWebsocketURL fails behind SSL termination #4527

Closed
schulzp opened this issue Jan 9, 2019 · 7 comments
Closed

ExternalContextImpl.encodeWebsocketURL fails behind SSL termination #4527

schulzp opened this issue Jan 9, 2019 · 7 comments
Assignees
@BalusC

Comments

@schulzp
Copy link
Contributor

schulzp commented Jan 9, 2019

Hi

I'm using <f:websocket> and do get JS error:

jsf.js:1 Mixed Content: The page at 'https://...' was loaded over HTTPS, but attempted to connect to the insecure WebSocket endpoint 'ws://.../javax.faces.push/events?ea1d8743-eca9-45a0-b548-ad3b1fd48c69'. This request has been blocked; this endpoint must be available over WSS.

ExternalContextImpl uses request.getSchema() to determine the correct protocol, yet that does not work behind a reverse proxy terminating SSL (HTTPS) and forwarding the request via HTTP.

Instead, it should use HttpServletRequest#getRequestURL().
schulzp added a commit to schulzp/mojarra that referenced this issue Jan 9, 2019
@schulzp
fix eclipse-ee4j#4527 by considering request URL protocol instead of …
1f1b5b3 
…request schema
@schulzp
Copy link
Contributor Author

schulzp commented Jan 15, 2019

Hi @arjantijms!

With all due respect, is there any chance this fix is going to make it into the next release?

@arjantijms
Copy link
Contributor

Hi,

Somewhat catching up on a huge backlog of emails. From a glance this would be in scope indeed, although the code in question is Bauke's area of expertise. I'll provisionally assign this to him.

Thanks for the report!

@schulzp
Copy link
Contributor Author

schulzp commented Feb 5, 2019

Hi!

Thanks, @arjantijms. @BalusC, could you please have a look?

Cheers
Peter

@BalusC
Copy link
Contributor

BalusC commented Feb 6, 2019

Instead, it should use HttpServletRequest#getRequestURL().

This fix is correct. Can you create PR?

@schulzp
Copy link
Contributor Author

schulzp commented Feb 6, 2019
edited
Loading

@BalusC, here you are: #4529 😄

arjantijms added a commit that referenced this issue Feb 6, 2019
@arjantijms
Merge pull request #4529 from schulzp/external-context-websocket-4527
39d7be0 
fix #4527 by considering request URL protocol instead of request schema
@schulzp
Copy link
Contributor Author

schulzp commented Feb 7, 2019

Thanks, @arjantijms and @BalusC!

@michael-knapp-j4care
Copy link

I have the same error message on a client site, the setup described below is used:
Browser connects via TLS to some secure proxy, the proxy itself connects via unsecure http to the application server. The application server is not aware of that secure communication in the browser and generates there unsecure ws:// URL, which is rendered to the HTML output.
Solution: it should be decided on client side (in jsf.js) when to use ws:// or wss://

Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@BalusC BalusC

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@schulzp @BalusC @arjantijms @michael-knapp-j4care