1

i have project which uses RESTEasy The REST object

the jar contains of a file called resteasy-client.js this file is added to web pages in which it makes easier to create HTTP calls. there is a bug! once the file send to the client, there is line that is added by the server in : JSAPIWriter.java in method :writeJavaScript

writer.println("REST.apiURL = '" + uri + "';");

in https this url creates incorrect url which is HTTP! and not HTTPS! this is from the source on my web site:

REST.apiURL = 'http://proXXXXXXXX'; as you can see the protocol is not correct. i am looking for a way to over ride this issue, without doing changes to the original code file. Thanks for the help.

update this issue occurs due to that the serve is behind FW, and HTTPS is sent to the server as HTTP instead of https the question is how can i pass this JSAPI that its protocol is https(i can read it from the headers)

developer learn999
  • 365
  • 1
  • 4
  • 17
  • And, just a sanity check - you ate specifying https in your browser when testing? Your link also shows: `// Change the base URL used by the API:` `REST.apiURL = "http://api.service.com";` have you tried adding that and changing the URL to be `REST.apiURL = "https://yourdomain.com";` – JGlass Oct 12 '18 at 17:49
  • i can't change it since it's part of the Jar, and i look for a way to override it in some way... – developer learn999 Oct 12 '18 at 21:55
  • I think you override it just by placing this in your code `REST.apiURL = "https://yourdomain.com";` – JGlass Oct 15 '18 at 13:14
  • @JGlass i updated the source of the problem, the issue now is how to pass the HTTPS to the init of the JSAPI – developer learn999 Oct 23 '18 at 22:48
  • So is it Client->HTTP->Firewall->HTTPS->Application Server? – JGlass Oct 23 '18 at 23:11
  • HTTPS->FW->HTTP->APPLICATION SERVER – developer learn999 Oct 25 '18 at 14:03
  • Have your Info Sec (Information Security) change it to HTTPS->FW->*HTTP*->APPLICATION SERVER? You will need the SSL cert being used by the firewall. It would likely alleviate your problem easier, it's usually called SSL Pass Through in FW terms. It also adds a hair more security as it's HTTPS end to end. – JGlass Oct 25 '18 at 14:52
  • i already have header "X-Forwarded-Proto" – developer learn999 Oct 25 '18 at 16:06
  • That doesn't look like it will affect the servlet in any way (x-forwarded-headers)[https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/x-forwarded-headers.html] in any way other than you'd be able to access that header and respond accordingly... No chance of having Info Sec do the HTTPS passthough? Not sure how big your company is but it's usually a one minute change for the Info Sec team. – JGlass Oct 25 '18 at 16:53
  • this is Amazon AWS load balance https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/x-forwarded-headers.html the JSAPI wasn't designed originally to read from specific header to check protocol for example or any configuration for this was given. – developer learn999 Oct 26 '18 at 10:57
  • Can you configure the "instance" (your server instance) to as HTTPS on port 8443 instead of just using HTTP? [elb create https ssl load balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.html). If you can't then I think the work around would be getting an instance of the underlying servlet in your code and changing the URL if possible to HTTPS on the response - sounds like it might not work though since it's the java script thats ending up as HTTP – JGlass Oct 26 '18 at 16:19
  • Also, this sort of looks to be your problem doesn't it? [javascript google transliterate api not served over https](https://stackoverflow.com/questions/44667348/javascript-google-transliterate-api-not-served-over-https) – JGlass Oct 26 '18 at 16:28
  • i can change the FW->HTTP to FW->HTTPS but i first was intrested if some how i can change it in Java level – developer learn999 Oct 27 '18 at 07:55
  • Yeah, I'm not sure - but you might as well go the more secure route ;-) – JGlass Oct 31 '18 at 19:10

1 Answers1

0

I did extends to the main class of the jar, changed the web.xml pointing to the new class I created, and read the headers from the x-forward-proto to get the correct protocol.

Mihai Chelaru
  • 7,614
  • 14
  • 45
  • 51
developer learn999
  • 365
  • 1
  • 4
  • 17