[jboss-jira] [JBoss JIRA] (WFLY-5725) Attribute "secure" not migrated to Undertow subsystem
Francesco Marchioni (JIRA)
issues at jboss.org
Thu Nov 26 12:10:01 EST 2015
[ https://issues.jboss.org/browse/WFLY-5725?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13134445#comment-13134445 ]
Francesco Marchioni edited comment on WFLY-5725 at 11/26/15 12:09 PM:
----------------------------------------------------------------------
Hi,
I just wanted to mention that I have tested the certificate-forwarding=true on the http-listener but it didn't work.
Here is the Apache configuration:
{code:java}
SSLOptions +StdEnvVars
RewriteCond %{SSL:SSL_SESSION_ID} (.+)
RewriteRule . - [E=SESSID:%1]
RequestHeader set SSL_SESSION_ID %{SESSID}e
RewriteCond %{SSL:SSL_CLIENT_CERT} (.+)
RewriteRule . - [E=SSLCERT:%1]
RequestHeader set SSL_CLIENT_CERT %{SSLCERT}e
RewriteCond %{SSL:SSL_CIPHER} (.+)
RewriteRule . - [E=SSLCIP:%1]
RequestHeader set SSL_CIPHER %{SSLCIP}e
{code}
tcpdump reveals that the SSL_SESSION_ID is correclty received by the application server:
GET /jboss/vault/ HTTP/1.1
Host: 10.110.229.140:9280
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: it-IT,it;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: Apache=a16d66d6.5256fc17642ba
*SSL_SESSION_ID: e60aac145c1e1c0070663db70f575b642a1f531edfdbd53624b5a48d7f2ab394*
SSL_CLIENT_CERT: (null)
SSL_CIPHER: ECDHE-RSA-AES128-GCM-SHA256
X-Forwarded-For: xx.xx.xx.xx
X-Forwarded-Host: xxxxx
X-Forwarded-Server: xxxxx.xxxxx.xxxxxx.it
Connection: Keep-Alive
However the certificate-forwarding seem not able to propagate the https to Undertow as the application (deployed with CONFIDENTIAL in web.xml). Since the connection is unsecure, the application refuses to proceed and issue a redirect to an https fallback address.
was (Author: f_marchioni):
Hi,
I just wanted to mention that I have tested the certificate-forwarding=true on the http-listener but it didn't work.
Here is the Apache configuration:
{{ SSLOptions +StdEnvVars
RewriteCond %{SSL:SSL_SESSION_ID} (.+)
RewriteRule . - [E=SESSID:%1]
RequestHeader set SSL_SESSION_ID %{SESSID}e
RewriteCond %{SSL:SSL_CLIENT_CERT} (.+)
RewriteRule . - [E=SSLCERT:%1]
RequestHeader set SSL_CLIENT_CERT %{SSLCERT}e
RewriteCond %{SSL:SSL_CIPHER} (.+)
RewriteRule . - [E=SSLCIP:%1]
RequestHeader set SSL_CIPHER %{SSLCIP}e}}
tcpdump reveals that the SSL_SESSION_ID is correclty received by the application server:
GET /jboss/vault/ HTTP/1.1
Host: 10.110.229.140:9280
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: it-IT,it;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: Apache=a16d66d6.5256fc17642ba
*SSL_SESSION_ID: e60aac145c1e1c0070663db70f575b642a1f531edfdbd53624b5a48d7f2ab394*
SSL_CLIENT_CERT: (null)
SSL_CIPHER: ECDHE-RSA-AES128-GCM-SHA256
X-Forwarded-For: xx.xx.xx.xx
X-Forwarded-Host: xxxxx
X-Forwarded-Server: xxxxx.xxxxx.xxxxxx.it
Connection: Keep-Alive
However the certificate-forwarding seem not able to propagate the https to Undertow as the application (deployed with CONFIDENTIAL in web.xml). Since the connection is unsecure, the application refuses to proceed and issue a redirect to an https fallback address.
> Attribute "secure" not migrated to Undertow subsystem
> -----------------------------------------------------
>
> Key: WFLY-5725
> URL: https://issues.jboss.org/browse/WFLY-5725
> Project: WildFly
> Issue Type: Bug
> Components: Web (Undertow)
> Environment: RHEL 7.1
> Reporter: Francesco Marchioni
> Assignee: Stuart Douglas
> Labels: ea, undertow
>
> We need to migrate the following EAP 6 configuration from the web subsystem:
> <subsystem xmlns="urn:jboss:domain:web:2.1" default-virtual-server="default-host" native="false">
> <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
> <connector name="httpconfidential" protocol="HTTP/1.1" scheme="http" socket-binding="httpsecure" secure="true" enabled="true"/>
> <virtual-server name="default-host" enable-welcome-root="true">
> <alias name="localhost"/>
> <alias name="example.com"/>
> </virtual-server>
> </subsystem>
> This configuration uses the *secure="true" * attribute to support the transport-guarantee to CONFIDENTIAL which is required by our applications. (We don't use https in EAP which is configured only on the Apache Web server that serves request to EAP 6)
> The configuration has been migrated into EAP 7.0.0 Alpha using the CLI /subsystem=web:migrate command. Although no warnings are shown, the resulting configuration *does not contain the attribute "secure"* :
> <subsystem xmlns="urn:jboss:domain:undertow:3.0">
> <buffer-cache name="default"/>
> <server name="default-server">
> <http-listener name="http" socket-binding="http"/>
> <http-listener name="httpconfidential" socket-binding="httpsecure"/>
> <host name="default-host" alias="localhost, example.com">
> <location name="/" handler="welcome-content"/>
> </host>
> </server>
> <servlet-container name="default">
> <jsp-config/>
> </servlet-container>
> <handlers>
> <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
> </handlers>
> </subsystem>
> Is there any plan to provide backward compatiblity for the secure attribute in EAP 7 ?
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
More information about the jboss-jira
mailing list