[jboss-jira] [JBoss JIRA] (AS7-4391) admin console proxying vs header Origin

Darran Lofthouse (JIRA) jira-events at lists.jboss.org
Tue Nov 27 07:40:21 EST 2012 

     [ https://issues.jboss.org/browse/AS7-4391?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Darran Lofthouse resolved AS7-4391.
-----------------------------------

    Resolution: Out of Date


I am marking this issue as out of date as a working proxy configuration was identified in the end, further work may be undertaken against AS7-2564 which is to add additional configuration for genuine cross site scenarios - that would potentially allow configuration to accept values that match the address of the proxy server and not mandate a Host / Origin match.
                
> admin console proxying vs header Origin
> ---------------------------------------
>
>                 Key: AS7-4391
>                 URL: https://issues.jboss.org/browse/AS7-4391
>             Project: Application Server 7
>          Issue Type: Bug
>          Components: Documentation, Domain Management
>    Affects Versions: 7.1.1.Final
>            Reporter: Aleksandar Kostadinov
>            Assignee: Darran Lofthouse
>              Labels: Console_Authentication
>             Fix For: 7.2.0.Alpha1
>
>
> When using a reverse proxy to access AS7 console and a browser that sets the header Origin, 403 is returned due to mismatch between Origin and Host headers.
> Run the server on localhost for example by:
> {code}bin/domain.sh{code}
> Run apache httpd with the following configuration (e.g. in /etc/httpd/conf.d/proxy_console.conf):
> {code}ProxyPassReverseCookieDomain localhost <your server public hostname>
> ProxyPassReverse / http://localhost:9990/
> ProxyPass        / http://localhost:9990/
> {code}
> These should work:
> open http://<your server public hostname> with firefox or IE - this should work
> curl -v -u "adminusername:adminpassword" --digest http://localhost:9990/management/ # on the server this should work
> These fail:
> open http://<your server public hostname> with chromium
> curl -v -u "adminusername:adminpassword" -H "Origin: http://<your server public hostname>" --digest http://localhost:9990/management/
> What happens is that Chromium sets the Origin header to the server public IP hostname. mod_proxy keeps that header but sets Host to localhost:9990. The domain management handler sees the mismatch and returns 403. Firefox and IE do not set that header so they work.
> That protection of the domain management api was introduced in:
> https://issues.jboss.org/browse/AS7-2400
> https://github.com/jbossas/jboss-as/commit/29cf3610d8dab1af0227842d877b926543b72273

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list