[MAGNOLIA-5382] Handling of URIs and paths with path parameters such as JSESSIONID Created: 14/Oct/13  Updated: 24/Apr/14  Resolved: 26/Nov/13

Status: Closed
Project: Magnolia
Component/s: None
Affects Version/s: 5.1
Fix Version/s: 4.5.14, 5.2

Type: Bug Priority: Neutral
Reporter: Tobias Mattsson Assignee: Tobias Mattsson
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
dependency
is depended upon by MAGNOLIA-5356 Web.xml uses 2.5 and 3.0 features but... Closed
is depended upon by MGNLADMLEG-26 AdminTreeMVCServlet fails to find Tre... Closed
is depended upon by MGNLDAM-322 DamDownloadServlet goes into redirect... Closed
is depended upon by MGNLUI-2291 Admincentral fails to start when JSES... Closed
duplicate
is duplicated by MAGNOLIA-4003 info.magnolia.module.admininterface.P... Closed
relation
is related to MAGNOLIA-4911 Sticky "jsessionid" URL parameter cau... Closed
is related to MAGNOLIA-3843 Cannot find MIME type for extension "... Closed
supersession
supersedes MAGNOLIA-3841 Mime type resolution fails when runni... Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Sprint: 5.2-rc1

 Description   

In Magnolia we currently have issues handling path parameters such as JSESSIONID. Path parameters are part of the URL and are preceded by a semicolon. The semicolon is a reserved character in URLs.

After MAGNOLIA-3716 we started seeing JSESSIONID appearing more often. We're now asking the servlet container to encode the redirect url before returning it, it will include the JSESSIONID if it thinks its needed.

Jetty has always included the JSESSIONID path parameter in the return from HttpServletRequest.getRequestURI(), as of version 6.0.33 Tomcat does too. See https://issues.apache.org/bugzilla/show_bug.cgi?id=51833 Arguably this is the correct behaviour. It is up to the web application to parse the returned uri and strip path parameters from it.

In Magnolia we need to make sure the JSESSIONID is stripped whenever we access the request object directly and ensure that it's stripped when populating the AggregationState / RenderingContext.

Mime types are not set correctly
In ContentTypeFilter we use the extension to lookup the correct mime type. However the extension we're looking for is jpg;JSESSIONID=123.

See http://demopublic.magnolia-cms.com/.imaging/stk/pop/stage/dam/demo-project/img/bk/Stage/lines-looking-like-sand/jcr:content/lines%20looking%20like%20sand.2012-02-17-12-18-07.jpg;JSESSIONID=123

This was reported in MAGNOLIA-3841

ServletDispatchingFilter fails to map requests
When the URI contains a JSESSIONID ServletDispatchingFilter does not match it to the servlet.

It uses the uri in AggregationState if a WebContext is present, otherwise it takes it from getRequestURI(). See Mapping.findMatcher().

See http://demoauthor.magnolia-cms.com/.magnolia/admincentral;jsessionid=EE3DB6042B1B57AD55C2633428F44496

This is the cause of MAGNOLIA-4911. It was however fixed by using the Servlet 3.0 feature tracking-mode=cookie, this needs to be reverted, see MAGNOLIA-5356

Page rendering fails with 404
When a JSESSIONID is present in the URI AggregatorFilter can't find the content because its looking for a node having it in its name.

Note that this only happens when not using an extension, this is because URI2RepositoryMapping#getHandle strips of the extension and with it the path parameters.

http://demopublic.magnolia-cms.com/demo-project;jsessionid=EE3DB6042B1B57AD55C2633428F44496

Install filter does start Magnolia
When there's a JSESSIONID present the InstallFilter does not recognize the start action in the URI and returns 500

See http://localhost:8080/.magnolia/installer/start;JSESSIONID=123

ContextFilter puts JSESSIONID into MDC
Needs to strip path parameters

BasePatternVoter and subclasses fail to match
When its subclasses URIPatternVoter and URIRegexVoter are used with HttpServletRequest they will not match if a JSESSIONID is present

RequestAttributeStrategy returns uri with JSESSIONID
When asked for the constant "requestURI" it will return it with the JSESSIONID

RedirectClientCallback fails to check if at target
If there's a JSESSIONID in the path the check to see if it's already at the target won't have effect.

RangeSupportFilter includes JSESSIONID in ETag
It needs to be stripped before extracting the file name from the request URI.



 Comments   
Comment by Tobias Mattsson [ 01/Nov/13 ]

Not yet merged to 4.5.14, needs to happen once 4.5.13 is released.

Comment by Tobias Mattsson [ 11/Nov/13 ]

Merged to 4.5.14.

Generated at Mon Feb 12 04:04:38 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.