[jboss-jira] [JBoss JIRA] (AS7-4391) admin console proxying vs header Origin

[ https://issues.jboss.org/browse/AS7-4391?page=com.atlassian.jira.plugin.s... ] Darran Lofthouse updated AS7-4391: ---------------------------------- Fix Version/s: 7.1.2.Final-redhat1 Workaround Description: This configuration directive removes the header from all requests: RequestHeader unset Origin THIS WORKAROUND WILL LEAVE ANY INSTALLATION VULNERABLE TO CROSS SITE SCRIPTING ATTACKS was: This configuration directive removes the header from all requests: RequestHeader unset Origin Description: When using a reverse proxy to access AS7 console and a browser that sets the header Origin, 403 is returned due to mismatch between Origin and Host headers. Run the server on localhost for example by: bin/domain.sh Run apache httpd with the following configuration (e.g. in /etc/httpd/conf.d/proxy_console.conf): ProxyPassReverseCookieDomain localhost <your server public hostname> ProxyPassReverse / http://localhost:9990/ ProxyPass / http://localhost:9990/ These should work: open http://<your server public hostname> with firefox or IE - this should work curl -v -u "adminusername:adminpassword" --digest http://localhost:9990/management/ # on the server this should work These fail: open http://<your server public hostname> with chromium curl -v -u "adminusername:adminpassword" -H "Origin: http://<your server public hostname>" --digest http://localhost:9990/management/ What happens is that Chromium sets the Origin header to the server public IP hostname. mod_proxy keeps that header but sets Host to localhost:9990. The domain management handler sees the mismatch and returns 403. Firefox and IE do not set that header so they work. That protection of the domain management api was introduced in: https://issues.jboss.org/browse/AS7-2400 https://github.com/jbossas/jboss-as/commit/29cf3610d8dab1af0227842d877b92... was: When using a reverse proxy to access AS7 console and a browser that sets the header Origin, 403 is returned due to mismatch between Origin and Host headers. Run the server on localhost for example by: bin/domain.sh Run apache httpd with the following configuration (e.g. in /etc/httpd/conf.d/proxy_console.conf): ProxyPassReverseCookieDomain localhost <your server public hostname> ProxyPassReverse / http://localhost:9990/ ProxyPass / http://localhost:9990/ These should work: open http://<your server public hostname> with firefox or IE - this should work curl -v -u "adminusername:adminpassword" --digest http://localhost:9990/management/ # on the server this should work These fail: open http://<your server public hostname> with chromium curl -v -u "adminusername:adminpassword" -H "Origin: http://<your server public hostname>" --digest http://localhost:9990/management/ What happens is that Chromium correctly sets the Origin header to the server public IP hostname. mod_proxy keeps that header but sets Host to localhost:9990. Console sees the mismatch and returns 403. Firefox and IE do not set that header so they work. That protection of admin console was introduced in: https://issues.jboss.org/browse/AS7-2400 https://github.com/jbossas/jboss-as/commit/29cf3610d8dab1af0227842d877b92... Component/s: Domain Management (was: Console) -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira