[jboss-jira] [JBoss JIRA] (AS7-4391) admin console proxying vs header Origin

Aleksandar Kostadinov (JIRA) jira-events at lists.jboss.org
Wed Apr 4 09:19:52 EDT 2012 

    [ https://issues.jboss.org/browse/AS7-4391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12681667#comment-12681667 ] 

Aleksandar Kostadinov commented on AS7-4391:
--------------------------------------------

I found another mod_proxy configuration directive that seems to be the proper fix for the problem:
ProxyPreserveHost On

Using this directive though may affect AS7-4397.

Perhaps current behavior of console wrt Origin is generally correct but:
* would be very useful to have proxying the console documented
* also throwing debug messages when this protection kicks in would help a lot
                
> admin console proxying vs header Origin
> ---------------------------------------
>
>                 Key: AS7-4391
>                 URL: https://issues.jboss.org/browse/AS7-4391
>             Project: Application Server 7
>          Issue Type: Bug
>          Components: Domain Management
>    Affects Versions: 7.1.1.Final
>            Reporter: Aleksandar Kostadinov
>            Assignee: Darran Lofthouse
>             Fix For: 7.1.2.Final-redhat1
>
>
> When using a reverse proxy to access AS7 console and a browser that sets the header Origin, 403 is returned due to mismatch between Origin and Host headers.
> Run the server on localhost for example by:
> bin/domain.sh
> Run apache httpd with the following configuration (e.g. in /etc/httpd/conf.d/proxy_console.conf):
> ProxyPassReverseCookieDomain localhost <your server public hostname>
> ProxyPassReverse / http://localhost:9990/
> ProxyPass        / http://localhost:9990/
> These should work:
> open http://<your server public hostname> with firefox or IE - this should work
> curl -v -u "adminusername:adminpassword" --digest http://localhost:9990/management/ # on the server this should work
> These fail:
> open http://<your server public hostname> with chromium
> curl -v -u "adminusername:adminpassword" -H "Origin: http://<your server public hostname>" --digest http://localhost:9990/management/
> What happens is that Chromium sets the Origin header to the server public IP hostname. mod_proxy keeps that header but sets Host to localhost:9990. The domain management handler sees the mismatch and returns 403. Firefox and IE do not set that header so they work.
> That protection of the domain management api was introduced in:
> https://issues.jboss.org/browse/AS7-2400
> https://github.com/jbossas/jboss-as/commit/29cf3610d8dab1af0227842d877b926543b72273

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list