AnsweredAssumed Answered

CA Unified Self Service - Absolute URL's vs Relative URL's

Question asked by kleco02 Employee on Feb 1, 2017
Latest reply on Feb 6, 2017 by kleco02

Hi,

 

We are currently facing this issue with CA USS at a customer.

I would like to know if anyone has faced this issue before and was there a way around it.

 

As we all know CA Unified Self Service is based on Liferay and uses Tomcat to deploy the CA USS application.

 

When deployed with a reverse proxy or behind the Load Balancer in SSL offloading mode meaning client->LB in SSL and LB->liferay in non-SSL the URL is rewritten to "http" from "https" by the liferay. This causes issues with some Load Balancers if they do not rewrite the http to https. This can be addressed by setting "web.server.protocol" to "https". However, this makes it portal wide no matter if it is accessed via LB/RP or directly from local network. In the case of direct access from the local network, the URL will be rewritten to "https" which might break when the liferay is not setup with SSL (more likely not setup with SSL since the SSL is off loaded to LB). We need to be able to configure the "webserver." set of parameters per network.

 

Maybe a solution request would be?

 

The Absolute URL inserts the domain in links where it can sometimes be undesirable. A Relative URL will show the correct context path regardless of domain. As an example both Both CA Service Catalog and CA Service Desk manager works in this. 


The following implementations on liferay could address this;
1) Stop using Absolute URLs altogether. This would solve a ton of security issues, simplify the code, and ensure that the code works regardless of the environment.
2) Create a portal property that allows Relative URLs to be used instead of Absolute URLs. With a portal property you could simply change the method above to return an empty string if it is set to use Relative URLs.

 

Thank you.

Cornel Kleynhans

Outcomes