4

[Edit] - Thanks for the comments. I've tried to shape my question accordingly and I've added some additional information based on the suggestions offered.

I have a JSF web application running on JBoss AS7 that I front with Apache on SSL (port 443). Apache and JBoss are running on the same machine and communicate "in the clear" over HTTP with reverse proxy forwarding rules. With this setup, I have observed that clicking on any link created via the JSF tag <h:commandLink> (i.e. without <f:ajax> and where there is always a genuine backing bean action method that, after performing some business logic, returns an outcome with the ?faces-redirect=true suffix) will see the page redirect fail because the https scheme is dropped and replaced with http.

If I replace all instances of <h:commandLink> with <h:commandLink><f:ajax/></h:commandLink>, this redirection problem goes away - i.e. the https scheme is preserved in the resulting redirected URL.

Could anyone explain to me what I'm observing and what the "under-the-hood" difference between the non-ajax form submit and ajax submit might be in this case?

Additional Information:

My Apache reverse proxy rules:

ProxyRequests Off
ProxyPreserveHost On

<Proxy *>
Order Allow,Deny
Allow from all
</Proxy>

ProxyPass / http://localhost:8080/ timeout=1800
ProxyPassReverse / http://localhost:8080/

The web console in Firefox shows the difference between the ajax form submit and non-ajax form submit HTTP requests as:

Ajax submit via <h:commandLink><f:ajax/></h:commandLink>

I see a GET request to the expected page on https (I can't yet post screen shots)

Non-ajax submit via <h:commandLink/>

The non-ajax version first POSTs back to the same page (which is expected) on https with a 302 status code 'Moved Temporarily' and then redirects to the target page from the action method on http.

Location in HTTP header for POST before failed GET redirect on http

Here's a screen shot. The location value for the POST shows as the URL of the GET request, on http and not https:

enter image description here

I guess I've gotten slightly "under-the-hood" at this point. Since the <f:ajax> approach achieves the desired result, I am happy leaving this alone. It seems there are at least a few other JSF posts related to this same sort of thing (here's the single URL I'm allowed to post):

JSF redirects from HTTPS to HTTP

Maybe the ajax-based approach is required to preserve the scheme in the URL originating from the client?

Thanks,

-Andy

Community
  • 1
  • 1
Andrew David
  • 81
  • 1
  • 5
  • `h:commandLink` doesn't drop the protocol scheme. Post the XHTML you're using. – user207421 Jul 31 '15 at 22:57
  • I agree that h:commandlink doesn't drop the scheme. In this case, it is using the scheme that it gets the requests on, which is http from Apache (on the same machine as JBoss). That is, h:commandlink works fine when I am *not* using Apache in front and running JBoss directly on either SSL (8443) or HTTP (8080). In either of these cases, it maintains the scheme (just as it does when being fronted by Apache and communicating in the clear on http). – Andrew David Jul 31 '15 at 23:44
  • Assuming you use ProxyPass, did you also configure the proxyPassReverse? (More but relevant details of the apache config are very relevant as you can imagine) – Kukeltje Aug 01 '15 at 06:37
  • And the differences can be very easily observed by looking at the network tab in your browser developer tool. It is a normal response vs a http-redirect response. Detail about the ?faces-redirect are abundant on Stackoverflow – Kukeltje Aug 01 '15 at 06:40
  • Btw, if you add an `f:ajax` to the `h:commandLink`, you'd observe the same difference, or with a `h:commandButton`. It is a non-jsf related thing. And certainly not PF related. – Kukeltje Aug 01 '15 at 09:14
  • Please see revised question. – Andrew David Aug 01 '15 at 13:46
  • What do you see in the `Location` header for the HTTP-302? – kolossus Aug 01 '15 at 20:53
  • @kolossus - please see latest screen shot in question for Location header value. – Andrew David Aug 02 '15 at 00:49

0 Answers0