[jboss-jira] [JBoss JIRA] (AS7-4391) admin console proxying vs header Origin

[ https://issues.jboss.org/browse/AS7-4391?page=com.atlassian.jira.plugin.s... ] Aleksandar Kostadinov updated AS7-4391: --------------------------------------- Description: When using a reverse proxy to access AS7 console and a browser that sets the header Origin, 403 is returned due to mismatch between Origin and Host headers. Run the server on localhost for example by: {code}bin/domain.sh{code} Run apache httpd with the following configuration (e.g. in /etc/httpd/conf.d/proxy_console.conf): {code}ProxyPassReverseCookieDomain localhost <your server public hostname> ProxyPassReverse / http://localhost:9990/ ProxyPass / http://localhost:9990/ {code} These should work: open http://<your server public hostname> with firefox or IE - this should work curl -v -u "adminusername:adminpassword" --digest http://localhost:9990/management/ # on the server this should work These fail: open http://<your server public hostname> with chromium curl -v -u "adminusername:adminpassword" -H "Origin: http://<your server public hostname>" --digest http://localhost:9990/management/ What happens is that Chromium sets the Origin header to the server public IP hostname. mod_proxy keeps that header but sets Host to localhost:9990. The domain management handler sees the mismatch and returns 403. Firefox and IE do not set that header so they work. That protection of the domain management api was introduced in: https://issues.jboss.org/browse/AS7-2400 https://github.com/jbossas/jboss-as/commit/29cf3610d8dab1af0227842d877b92... was: When using a reverse proxy to access AS7 console and a browser that sets the header Origin, 403 is returned due to mismatch between Origin and Host headers. Run the server on localhost for example by: bin/domain.sh Run apache httpd with the following configuration (e.g. in /etc/httpd/conf.d/proxy_console.conf): ProxyPassReverseCookieDomain localhost <your server public hostname> ProxyPassReverse / http://localhost:9990/ ProxyPass / http://localhost:9990/ These should work: open http://<your server public hostname> with firefox or IE - this should work curl -v -u "adminusername:adminpassword" --digest http://localhost:9990/management/ # on the server this should work These fail: open http://<your server public hostname> with chromium curl -v -u "adminusername:adminpassword" -H "Origin: http://<your server public hostname>" --digest http://localhost:9990/management/ What happens is that Chromium sets the Origin header to the server public IP hostname. mod_proxy keeps that header but sets Host to localhost:9990. The domain management handler sees the mismatch and returns 403. Firefox and IE do not set that header so they work. That protection of the domain management api was introduced in: https://issues.jboss.org/browse/AS7-2400 https://github.com/jbossas/jboss-as/commit/29cf3610d8dab1af0227842d877b92... -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira