Hitachi

uCosminexus Application Server Compatibility Guide

6.16.3 Precautions related to reporting the gateway information to the Web container

The following are cautionary notes on using the gateway specification functionality:

Specifying the host name and port number of an URL where an access is redirected:

A browser usually sends a request with the Host header appended, so it is not necessary to specify the host name or port number for an URL where access is to be redirected.

Note that you can check whether or not the request has the Host header by calling the getHeader method of the javax.servlet.http.HttpServletRequest interface, with the Host argument specified.

Servlet API behavior:

Using the gateway specification functionality causes some servlet API functions to behave differently. Take care when using API functions with a Web application.

The following describes the precautions on servlet APIs when using the gateway specification functionality for each method to be used:

  • The sendRedirect method of the javax.servlet.http.HttpServletResponse class

    When you specify a relative URL for the argument, and if the request does not have the Host header, the host name and port number of the URL of the redirection destination are the values specified by the gateway specification functionality. When you specify a relative URL for the argument and use the gateway specification functionality to specify that the scheme is to be considered as https, the scheme of the URL of the redirection destination is always https.

  • The getRequestURL method of the javax.servlet.ServletRequest interface

    When you use the gateway specification functionality to specify that the scheme is to be considered as https, the return value is always a URL starting with https://.

  • The getServerName method of the javax.servlet.ServletRequest interface

    When you use the gateway specification functionality to specify the host name of the URL of the redirection destination, and if the request does not have the Host header, the return value is the value you specified.

  • The getServerPort method of the javax.servlet.ServletRequest interface

    When you use the gateway specification functionality to specify the port number of the URL of the redirection destination, and if the request does not have the Host header, the return value is the value you specified.

    When you use the gateway specification functionality to specify the host name of the URL of the redirection destination, and if the port number is omitted, the return value is 80 when the request scheme is http, and 443 when the request scheme is https.

  • The getScheme method of the javax.servlet.ServletRequest interface

    When you use the gateway specification functionality to specify that the scheme is to be considered as https, the return value is always https.

  • The isSecure method of the javax.servlet.ServletRequest interface

    When you use the gateway specification functionality to specify that the scheme is to be considered as https, the return value is always true.

  • The getAttribute method of the javax.servlet.ServletRequest interface

    The following attributes cannot be obtained even when you used the gateway specification functionality to specify that a scheme is to be considered as https:

    - javax.servlet.request.cipher_suite (When Microsoft IIS is used for the Web server, this attribute cannot be obtained regardless of whether the gateway specification functionality is used.)

    - javax.servlet.request.key_size

    - javax.servlet.request.X509Certificate

The <transport-guarantee> tag in web.xml:

When you use the gateway specification functionality to specify that a scheme is to be considered as HTTPS, a request to a Web server will be considered to use HTTPS even if the request actually uses HTTP. Note that this prevents an access from being redirected to an URL that uses HTTPS, even if you specify INTEGRAL or CONFIDENTIAL in the <transport-guarantee> tag in web.xml.

The Secure attribute for cookies:

When you use the gateway specification functionality to specify that a scheme is to be considered as HTTPS, when a session ID generated by a Web container is returned to the client by the session cookie, the Secure attribute is appended to the cookie.

To Page Top

Trademarks

All Rights Reserved. Copyright (C) 2022, Hitachi, Ltd.