[jboss-jira] [JBoss JIRA] (AS7-4391) admin console proxying vs header Origin

Aleksandar Kostadinov (JIRA) jira-events at lists.jboss.org
Tue Aug 21 08:53:16 EDT 2012 

    [ https://issues.jboss.org/browse/AS7-4391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12712689#comment-12712689 ] 

Aleksandar Kostadinov commented on AS7-4391:
--------------------------------------------

I wrote https://community.jboss.org/wiki/ApacheHttpdJBossAS7AdminConsoleProxy

Short but might help somebody. When trying to proxy, there are a lot of details so the one example I have in there can't cover all use cases. Actually I need to experiment with a version of AS that has AS7-4397 incorporated to be able to cover other use cases.
                
> admin console proxying vs header Origin
> ---------------------------------------
>
>                 Key: AS7-4391
>                 URL: https://issues.jboss.org/browse/AS7-4391
>             Project: Application Server 7
>          Issue Type: Bug
>          Components: Documentation, Domain Management
>    Affects Versions: 7.1.1.Final
>            Reporter: Aleksandar Kostadinov
>            Assignee: Darran Lofthouse
>              Labels: Console_Authentication
>             Fix For: 7.2.0.Alpha1
>
>
> When using a reverse proxy to access AS7 console and a browser that sets the header Origin, 403 is returned due to mismatch between Origin and Host headers.
> Run the server on localhost for example by:
> {code}bin/domain.sh{code}
> Run apache httpd with the following configuration (e.g. in /etc/httpd/conf.d/proxy_console.conf):
> {code}ProxyPassReverseCookieDomain localhost <your server public hostname>
> ProxyPassReverse / http://localhost:9990/
> ProxyPass        / http://localhost:9990/
> {code}
> These should work:
> open http://<your server public hostname> with firefox or IE - this should work
> curl -v -u "adminusername:adminpassword" --digest http://localhost:9990/management/ # on the server this should work
> These fail:
> open http://<your server public hostname> with chromium
> curl -v -u "adminusername:adminpassword" -H "Origin: http://<your server public hostname>" --digest http://localhost:9990/management/
> What happens is that Chromium sets the Origin header to the server public IP hostname. mod_proxy keeps that header but sets Host to localhost:9990. The domain management handler sees the mismatch and returns 403. Firefox and IE do not set that header so they work.
> That protection of the domain management api was introduced in:
> https://issues.jboss.org/browse/AS7-2400
> https://github.com/jbossas/jboss-as/commit/29cf3610d8dab1af0227842d877b926543b72273

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list