Description
HTTPS enabled load balancers like Amazon's ELB that forward client requests to HTTP servers behind the load balancer set the X-Forwarded-Proto request header with a value of https. If the call is forwarded to a HTTP Restlet application from the load balancer, the originalRef Request property uses the protocol of the target request without checking if the X-Forwarded-Proto is set and using that protocol scheme instead.
This becomes a problem for resources that need to redirect when handling a request. Extra code needs to be written into the application code to look for the X-Forwarded-Proto header explicitly when building the redirect URL instead of using values from getRequest().getOriginalRef(). Also for static content resources served by a DirectoryService, they will have an incorrect protocol set for the Content-Location URL.