IQSS · kcondon · Nov 25, 2019 · Nov 22, 2019
diff --git a/doc/sphinx-guides/source/installation/config.rst b/doc/sphinx-guides/source/installation/config.rst
@@ -876,6 +876,8 @@ The password reset feature requires ``dataverse.fqdn`` to be configured.
 | ``https://{dataverse.fqdn}/``
 | If that does not suit your setup, you can define an additional option, ``dataverse.siteUrl``, explained below.
 
+.. _dataverse.siteUrl:
+
 dataverse.siteUrl
 +++++++++++++++++
 

diff --git a/doc/sphinx-guides/source/installation/installation-main.rst b/doc/sphinx-guides/source/installation/installation-main.rst
@@ -86,6 +86,9 @@ Glassfish does not provide up to date documentation but Payara (a fork of Glassf
 - exporting to DDI format
 - which Dataverse installation an "external tool" should return to
 - which Dataverse installation Geoconnect should return to
+- URLs embedded in SWORD API responses
+
+The supplied site URL will be saved under the JVM option :ref:`dataverse.siteUrl`.
 
 **IMPORTANT:** Please note, that "out of the box" the installer will configure the Dataverse to leave unrestricted access to the administration APIs from (and only from) localhost. Please consider the security implications of this arrangement (anyone with shell access to the server can potentially mess with your Dataverse). An alternative solution would be to block open access to these sensitive API endpoints completely; and to only allow requests supplying a pre-defined "unblock token" (password). If you prefer that as a solution, please consult the supplied script ``post-install-api-block.sh`` for examples on how to set it up. See also "Securing Your Installation" under the :doc:`config` section.
 

diff --git a/src/main/java/edu/harvard/iq/dataverse/api/datadeposit/UrlManager.java b/src/main/java/edu/harvard/iq/dataverse/api/datadeposit/UrlManager.java
@@ -30,35 +30,6 @@ String processUrl(String url) throws SwordError {
         } catch (URISyntaxException ex) {
             throw new SwordError(UriRegistry.ERROR_BAD_REQUEST, "Invalid URL syntax: " + url);
         }
-        /**
-         * @todo: figure out another way to check for http. We used to use
-         * javaNetUri.getScheme() but now that we are using "ProxyPass /
-         * ajp://localhost:8009/" in Apache it's always http rather than https.
-         *
-         * http://serverfault.com/questions/6128/how-do-i-force-apache-to-use-https-in-conjunction-with-ajp
-         * http://stackoverflow.com/questions/1685563/apache-webserver-jboss-ajp-connectivity-with-https
-         * http://stackoverflow.com/questions/12460422/how-do-ensure-that-apache-ajp-to-tomcat-connection-is-secure-encrypted
-         */
-        if (!"https".equals(javaNetUri.getScheme())) {
-            /**
-             * @todo figure out how to prevent this stackstrace from showing up
-             * in Glassfish logs:
-             *
-             * Unable to populate SSL attributes
-             * java.lang.IllegalStateException: SSLEngine is null at
-             * org.glassfish.grizzly.ssl.SSLSupportImpl
-             *
-             * https://github.com/IQSS/dataverse/issues/643
-             *
-             * SSLOptions +StdEnvVars +ExportCertData ?
-             *
-             * [#GLASSFISH-20694] Glassfish 4.0 and jk Unable to populate SSL
-             * attributes - Java.net JIRA -
-             * https://java.net/jira/browse/GLASSFISH-20694
-             */
-            logger.fine("https is required but protocol was " + javaNetUri.getScheme());
-//            throw new SwordError(UriRegistry.ERROR_BAD_REQUEST, "https is required but protocol was " + javaNetUri.getScheme());
-        }
         this.port = javaNetUri.getPort();
         String[] urlPartsArray = javaNetUri.getPath().split("/");
         List<String> urlParts = Arrays.asList(urlPartsArray);
@@ -152,47 +123,14 @@ String processUrl(String url) throws SwordError {
     }
 
     String getHostnamePlusBaseUrlPath(String url) throws SwordError {
-        String optionalPort = "";
-        URI u;
-        try {
-            u = new URI(url);
-        } catch (URISyntaxException ex) {
-            throw new SwordError(UriRegistry.ERROR_BAD_REQUEST, "unable to part URL");
-        }
-        int port = u.getPort();
-        if (port != -1) {
-            // https often runs on port 8181 in dev
-            optionalPort = ":" + port;
-        }
-        String requestedHostname = u.getHost();
-        String hostName = System.getProperty(SystemConfig.FQDN);
-        if (hostName == null) {
-            hostName = "localhost";
-        }
-        /**
-         * @todo should this be configurable? In dev it's convenient to override
-         * the JVM option and force traffic to localhost.
-         */
-        if (requestedHostname.equals("localhost")) {
-            hostName = "localhost";
-        }
         /**
          * @todo Any problem with returning the current API version rather than
          * the version that was operated on? Both should work. If SWORD API
          * users are operating on the URLs returned (as they should) returning
          * the current version will avoid deprecation warnings on the Dataverse
          * side.
-         *
-         * @todo Prevent "https://localhost:8080" from being returned. It should
-         * either be "http://localhost:8080" or "https://localhost:8181". Use
-         * SystemConfig.getDataverseSiteUrl instead of SystemConfig.FQDN above.
-         * It's worse for security to not have https hard coded here but if
-         * users have configured dataverse.siteUrl to be http rather than https
-         * we assume they are doing this on purpose (despite our warnings in the
-         * Installation Guide), perhaps because they are only kicking the tires
-         * on Dataverse.
          */
-        return "https://" + hostName + optionalPort + swordConfiguration.getBaseUrlPathCurrent();
+        return SystemConfig.getDataverseSiteUrlStatic() + swordConfiguration.getBaseUrlPathCurrent();
     }
 
     public String getOriginalUrl() {