Process X-Forwarded-Ssl headers properly [SPR-16863]

[spring-projects-issues]

Greg Turnquist opened SPR-16863 and commented

Spring HATEOAS has extra support built for handing X-Forwarded-Ssl headers, in the following code.

There is additionally a ForwardedHeader class used to parse Forwarded headers. It would be ideal if this header was handled by Spring MVC directly so Spring HATEOAS didn't have to bake in support as well. That would allow us to concentrate such functionality truly in one place.

---

Affects: 5.0.6

Reference URL: spring-projects/spring-hateoas#112

Issue Links:

• Centralize handling of "Forwarded" headers to ForwardedHeaderFilter [SPR-16668] #21209 Centralize handling of "Forwarded" headers to ForwardedHeaderFilter
• Centralize handling of "Forwarded" headers to ForwardedHeaderFilter [SPR-16668] #21209 Centralize handling of "Forwarded" headers to ForwardedHeaderFilter

Referenced from: commits c7c3e55, 3eac2dd

[spring-projects-issues]

Rossen Stoyanchev commented

It's worth pointing out also that Spring HATEOAS needs to remove any remaining explicit checks, like for "X-Forwarded-Ssl", in order to align with #21209.

[spring-projects-issues]

Rossen Stoyanchev commented

So looking at the code in Spring HATEOAS, thee "X-Forwarded-Ssl" is checked and applied lazily in case neither "Forwarded" nor "X-Forwarded-Proto" have a protocol value. 

Rob Winch if that seems okay, I'll apply to UriComponentsBuilder#adaptedFromForwardedHeaders that in turn is used from ForwardedHeaderFilter.
 

[spring-projects-issues]

Greg Turnquist commented

I have a branch to apply such changes. Be advised, I have swept all such code into one location inside Spring HATEOAS such that is only used for Spring Framework 5.0 and ignored for Spring Framework 5.1. This code is also flagged as @Deprecated. Thus, whenever we rebase Spring HATEOAS against Spring 5.1, we can remove it for good.