[jboss-jira] [JBoss JIRA] (AS7-4391) admin console proxying vs header Origin

admin console proxying vs header Origin --------------------------------------- Key: AS7-4391 URL: https://issues.jboss.org/browse/AS7-4391 Project: Application Server 7 Issue Type: Bug Components: Console Affects Versions: 7.1.1.Final Reporter: Aleksandar Kostadinov Assignee: Darran Lofthouse When using a reverse proxy to access AS7 console and a browser that sets the header Origin, 403 is returned due to mismatch between Origin and Host headers. Run the server on localhost for example by: bin/domain.sh Run apache httpd with the following configuration (e.g. in /etc/httpd/conf.d/proxy_console.conf): ProxyPassReverseCookieDomain localhost <your server public hostname> ProxyPassReverse / http://localhost:9990/ ProxyPass / http://localhost:9990/ These should work: open http://<your server public hostname> with firefox or IE - this should work curl -v -u "adminusername:adminpassword" --digest http://localhost:9990/management/ # on the server this should work These fail: open http://<your server public hostname> with chromium curl -v -u "adminusername:adminpassword" -H "Origin: http://<your server public hostname>" --digest http://localhost:9990/management/ What happens is that Chromium correctly sets the Origin header to the server public IP hostname. mod_proxy keeps that header but sets Host to localhost:9990. Console sees the mismatch and returns 403. Firefox and IE do not set that header so they work. That protection of admin console was introduced in: https://issues.jboss.org/browse/AS7-2400 https://github.com/jbossas/jboss-as/commit/29cf3610d8dab1af0227842d877b92...