[jboss-jira] [JBoss JIRA] (AS7-4391) admin console proxying vs header Origin

admin console proxying vs header Origin --------------------------------------- Key: AS7-4391 URL: https://issues.jboss.org/browse/AS7-4391 Project: Application Server 7 Issue Type: Bug Components: Documentation, Domain Management Affects Versions: 7.1.1.Final Reporter: Aleksandar Kostadinov Assignee: Darran Lofthouse Labels: Console_Authentication Fix For: 7.2.0.Alpha1 When using a reverse proxy to access AS7 console and a browser that sets the header Origin, 403 is returned due to mismatch between Origin and Host headers. Run the server on localhost for example by: {code}bin/domain.sh{code} Run apache httpd with the following configuration (e.g. in /etc/httpd/conf.d/proxy_console.conf): {code}ProxyPassReverseCookieDomain localhost <your server public hostname> ProxyPassReverse / http://localhost:9990/ ProxyPass / http://localhost:9990/ {code} These should work: open http://<your server public hostname> with firefox or IE - this should work curl -v -u "adminusername:adminpassword" --digest http://localhost:9990/management/ # on the server this should work These fail: open http://<your server public hostname> with chromium curl -v -u "adminusername:adminpassword" -H "Origin: http://<your server public hostname>" --digest http://localhost:9990/management/ What happens is that Chromium sets the Origin header to the server public IP hostname. mod_proxy keeps that header but sets Host to localhost:9990. The domain management handler sees the mismatch and returns 403. Firefox and IE do not set that header so they work. That protection of the domain management api was introduced in: https://issues.jboss.org/browse/AS7-2400 https://github.com/jbossas/jboss-as/commit/29cf3610d8dab1af0227842d877b92...