Allow ResourceService sendWelcome to honor isRelativeRedirect

[joakime]

Jetty version(s)
9.4.42+

Java version/vendor (use: java -version)
All

OS type/version
All

Description
The changes introduced in issue #6883 made the call to HttpServletResponse.sendRedirect(String path) use relative paths in most static content cases (that don't happen in a dispatch forward/include, and session in url, path params, query merging, etc).

Then relying on the HttpConfiguration.isRelativeRedirectAllowed() to determine behavior (or not).

The creation of the welcome redirect is no longer being created as an absolute location, I think it should honor the HttpConfiguration.isRelativeRedirectAllowed() in this case and produce an absolute location when that configuration is set appropriately.

[gregw]

@joakime can you explain why? If the ResourceService (and other redirecting handlers (eg ContextHandler)) produce relative links, then the resulting location header will be absolute or not entirely depending on the HttpConfiguration.isRelativeRedirectAllowed(). Moreover, we will have the code to determine an absolute URL in only one place (within sendRedirect) rather than duplicated in several places.

[jluehe]

@gregw, the proposal was to move the logic of whether to make the redirect location full (based on HttpConfiguration.isRelativeRedirectAllowed) inside Response.encodeRedirectURL (instead of Response.sendRedirect), so that by the time Response.sendRedirect is called, it will already be in its final form, thereby making out response wrapper happy, which enforces that only full URLs be passed to sendRedirect ("Cause: java.lang.IllegalArgumentException: HttpServletResponse.sendRedirect must be given an absolute URL, never just a path.").

[gregw]

@jluehe What is the isue with allowing relative paths to be passed? Is it that when converted to absolute URIs within sendRedirect that the wrong port and/or host is sometimes used? If so, aren't the other changes we are making to allow authority overrides sufficient to circumvent this problem?

I'm concerned that is we scatter code that checks isRelativeRedirectAllowed() all over the code then it will be both fragile and incomplete as we will always be vulnerable to new code that doesn't do that. So best to come up with a solution that doesn't rely on forcing the argument to be absolute.

[github-actions]

This issue has been automatically marked as stale because it has been a
full year without activity. It will be closed if no further activity occurs.
Thank you for your contributions.

[gregw]

I'll double check this

[jluehe]

Thanks, @gregw - feel free to close this! @joakime suggested a solution at the time which did exactly what we needed.