[jboss-jira] [JBoss JIRA] (AS7-4391) admin console proxying vs header Origin

Darran Lofthouse (JIRA) jira-events at lists.jboss.org
Sat Apr 21 04:27:18 EDT 2012 

     [ https://issues.jboss.org/browse/AS7-4391?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Darran Lofthouse updated AS7-4391:
----------------------------------

    Fix Version/s: 7.2.0.Alpha1
                       (was: 7.1.2.Final-redhat1)


I am postponing this issue as the alternative configuration option has now been found to leave the original host in-tact when forwarding the message to the http interface - that is critical as that is how browsers let us know if it is a cross origin resource sharing request which we do not allow.

Regarding messages, each rejection scenario for the http interface now does log a message with the details.

For documentation I can look to include something in the docs but in the meantime if someone does have a working set up the creation of a short article on jboss.org would be much appreciated.

                
> admin console proxying vs header Origin
> ---------------------------------------
>
>                 Key: AS7-4391
>                 URL: https://issues.jboss.org/browse/AS7-4391
>             Project: Application Server 7
>          Issue Type: Bug
>          Components: Documentation, Domain Management
>    Affects Versions: 7.1.1.Final
>            Reporter: Aleksandar Kostadinov
>            Assignee: Darran Lofthouse
>             Fix For: 7.2.0.Alpha1
>
>
> When using a reverse proxy to access AS7 console and a browser that sets the header Origin, 403 is returned due to mismatch between Origin and Host headers.
> Run the server on localhost for example by:
> {code}bin/domain.sh{code}
> Run apache httpd with the following configuration (e.g. in /etc/httpd/conf.d/proxy_console.conf):
> {code}ProxyPassReverseCookieDomain localhost <your server public hostname>
> ProxyPassReverse / http://localhost:9990/
> ProxyPass        / http://localhost:9990/
> {code}
> These should work:
> open http://<your server public hostname> with firefox or IE - this should work
> curl -v -u "adminusername:adminpassword" --digest http://localhost:9990/management/ # on the server this should work
> These fail:
> open http://<your server public hostname> with chromium
> curl -v -u "adminusername:adminpassword" -H "Origin: http://<your server public hostname>" --digest http://localhost:9990/management/
> What happens is that Chromium sets the Origin header to the server public IP hostname. mod_proxy keeps that header but sets Host to localhost:9990. The domain management handler sees the mismatch and returns 403. Firefox and IE do not set that header so they work.
> That protection of the domain management api was introduced in:
> https://issues.jboss.org/browse/AS7-2400
> https://github.com/jbossas/jboss-as/commit/29cf3610d8dab1af0227842d877b926543b72273

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list