-
Notifications
You must be signed in to change notification settings - Fork 5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix Response#sendRedirect() if no request context exists. #479
Fix Response#sendRedirect() if no request context exists. #479
Conversation
If no ROOT context is defined, the context may be null in special cases, e.g. RewriteValve may use Response#sendRedirect() without any application context associated. In this case, the Tomcat behaviors for the context attributes useRelativeRedirects and sendRedirectBody are assumed, but without considering org.apache.catalina.STRICT_SERVLET_COMPLIANCE.
Hi, I stumbled across this issue while writing a "RewriteValve" rule that redirects everything based on an HTTP header condition. This is happening in a development environment where no ROOT context is configured and no reverse proxy ensures that only valid path prefixes are passed to the Tomcat instances. So it is not a real production world problem, but the NPE made me skeptical. I don't know if there is an easy way to access the actual configured default values from the context.xml and taking into account the STRICT_SERVLET_COMPLIANCE setting. This would be the preferred solution, but the case is also relatively unlikely in production setups and my primary goal is to avoid the NPE. Cheers, |
This looks like invalid configuration at this point. Generally, an NPE is preferable to a change that masks a configuration issue. |
That is a good point. Do you think the misconfiguration is that a ROOT context should always be configured, or that rewrite rules should only be defined on existing contexts? |
I can see valid use cases that wouldn't meet at least one of those criteria so I don't think it is quite that simple. Having a concrete use case to discuss might make things a little clearer. Can you provide an example that triggered the NPE (request URI, rewrite rule and any other relevant info)? |
A valid UseCase for me would be: Migration of an application to a new context
In this case you would forward both URL prefixes from the load balancer/proxy to the Tomcat and define a rewrite rule that redirects all requests to the old context to the new one.
But since there exists no context for myOldApp, this would result in an NPE. (And yes, of course the Tomcat terminates TLS in this case and not the load balancer, otherwise you would do the redirect there of course.) I would prefer to handle such misconfiguration by the RewriteValve in a understandable way without debugging into Tomcat codebase. But I don't see any practical way for reliable detection by the RewriteValve. Neither when loading the rule configuration, nor at runtime (except to catch the NPE). |
Thanks for that example. |
It expands the capability of rewrite a bit, so "no" would be a good option. |
Based on this discussion, the original fix is correct. I'll merge this shortly. |
Thanks for the discussion, time and all your great work on the Tomcat project. |
If no ROOT context is defined, the context may be null in special cases, e.g. RewriteValve may use Response#sendRedirect() without any application context associated.
In this case, the Tomcat behaviors for the context attributes useRelativeRedirects and sendRedirectBody are assumed, but without considering org.apache.catalina.STRICT_SERVLET_COMPLIANCE.