Re: tomcat 6 j_security_check, Apache ProxyPass and the Origin: header
Anyone? On 14/01/13 17:24, Watts, Timothy wrote: Hi, Is there a way to *tell* j_security_check that an Origin: header set (during the login POST request) to a remote server is permitted (and is not an XSS attack)? We have a tomcat server T running a tomcat webapp that uses j_security_check to auth users (Excuse me - I am not the tomcat programmer, I'm the sysadmin trying to help the programmer, so my terminology might be bad). Basically, http://T/webapp/jsp/login works OK On Server A running apache, we have a config: RewriteRule ^/jsp/(.*)$ http://T/webapp/jsp/$1 [P] (which is a ProxyPass - we have many rewrite rules so prefer to use RewriteRule for consistency) If we try to login to the tomcat webapp from http://A/jsp/login the POST request sends an Origin: header containing http:://A/... Tomcat seems not to like this as it realises that server A is not where it is running. I made it work with a disgraceful hack in the apache config: RequestHeader edit Origin http:\/\/A\/ http:\/\/T\/ early But now Tomcat can log us in but sends the wrong URI host in the Location: header when it replies with the 302 redirect. So I fix this with: Header edit Location http:\/\/T\/webapp\/jsp\/ http://A/jsp/ It works, but it is horrible and basically leaving a booby trap for the unwary. Many thanks, Tim -- Tim Watts Tel (VOIP): +44 (0)1580 848360 Systems Manager Digital Humanities, King's College London Systems Messages and Notifications: https://systemsblog.cch.kcl.ac.uk/ Personal Blog: http://squiddy.blog.dionic.net/ A fanatic is one who can't change his mind and won't change the subject. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat 6 j_security_check, Apache ProxyPass and the Origin: header
On 18/01/2013 11:07, Tim Watts wrote: Anyone? Tomcat doesn't give two hoots about the origin header. It does care about the Host header. It is hard to tell exactly what is going wrong from your post but you may need one or more of the following: http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypreservehost Set this to on Set proxyName=A anf proxyPort=80 on the connector in server.xml HTH, Mark On 14/01/13 17:24, Watts, Timothy wrote: Hi, Is there a way to *tell* j_security_check that an Origin: header set (during the login POST request) to a remote server is permitted (and is not an XSS attack)? We have a tomcat server T running a tomcat webapp that uses j_security_check to auth users (Excuse me - I am not the tomcat programmer, I'm the sysadmin trying to help the programmer, so my terminology might be bad). Basically, http://T/webapp/jsp/login works OK On Server A running apache, we have a config: RewriteRule ^/jsp/(.*)$ http://T/webapp/jsp/$1 [P] (which is a ProxyPass - we have many rewrite rules so prefer to use RewriteRule for consistency) If we try to login to the tomcat webapp from http://A/jsp/login the POST request sends an Origin: header containing http:://A/... Tomcat seems not to like this as it realises that server A is not where it is running. I made it work with a disgraceful hack in the apache config: RequestHeader edit Origin http:\/\/A\/ http:\/\/T\/ early But now Tomcat can log us in but sends the wrong URI host in the Location: header when it replies with the 302 redirect. So I fix this with: Header edit Location http:\/\/T\/webapp\/jsp\/ http://A/jsp/ It works, but it is horrible and basically leaving a booby trap for the unwary. Many thanks, Tim - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat 6 j_security_check, Apache ProxyPass and the Origin: header
On 18/01/13 11:27, André Warnier wrote: I don't know if this really helps or improves things, but the standard way of handling the Location in redirects is via the ProxyPassReverse directive (which is probably more efficient here - and more easily understood - than the Header-edit). The ProxyPassReverse directive should work whether you use ProxyPass or not. Hi Andre, Yes - I agree about ProxyPassReverse - that likely would fix the redirect incorrectness. I do not really understand the problem with the Origin header though. Proxying from httpd to Tomcat (even with a differenr hostname) is a widely-used thing, and I have never heard of this kind of issue before. May be something specific to j_security_check, I just don't know. If you stop editing the request headers, and forward the requests via ProxyPass, do you get this problem also ? I will try - A RewriteRule .. .. [P] should be equivalent to a ProxyPass, but just in case there is a subtle difference I will give it a try. I prefer the rewrite rules as there are a bunch of them for other reasons and not mixing RewriteRule with ProxyPass makes it very clear what order they are being actioned (which is important). Re: j_security_check: I have see a load of issues reported that match this problem - usually the person reports a 408 error and everyone piles in and tries to solve that with increasing timeout settings. the 408 is clearly erroneous - and having fixed it myself by editing the Origin header, that's clearly the causal factor. Oddly enough, I did my usual trick of downloading the source code (for tomcat 6) and doing a recursive grep for any mention of the Origin: header. I found nothing! Which makes me wonder if the problem originates in a generic Java library??? The whole damn thing is so poorly documented (or at least all I could find was a document on who to enable auth checking) that I'm not able to tell if there are some options that I *could* be setting in the web.xml or somewhere. It seems reasonable that it might whine about a cross-site auth effort, but equally there should be a way to explicitly permit that, at least for a named VHOST. As you say, proxying is very common - for load balancing if nothing else. I'll go and try your suggestions - Thanks :) Tim Maybe you should also look at ProxypassReverseCookieDomain ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Tim Watts Tel (VOIP): +44 (0)1580 848360 Systems Manager Digital Humanities, King's College London Systems Messages and Notifications: https://systemsblog.cch.kcl.ac.uk/ Personal Blog: http://squiddy.blog.dionic.net/ She got her looks from her father. He's a plastic surgeon. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat 6 j_security_check, Apache ProxyPass and the Origin: header
On 18/01/13 11:45, Mark Thomas wrote: On 18/01/2013 11:07, Tim Watts wrote: Anyone? Hi Mark, Tomcat doesn't give two hoots about the origin header. Curious - I wonder how me editing it helped? Unless it caused some knockon somewhere. It does care about the Host header. That would make more sense... It is hard to tell exactly what is going wrong from your post but you may need one or more of the following: http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypreservehost Hmm - that would be worth a shot - I went down this road when trying to stop Wordpress whining about being on the end of a proxy. Didn;t work there, but it might here. Set this to on Set proxyName=A anf proxyPort=80 on the connector in server.xml A being the host that is proxying to the tomcat server. Cool - that is the sort of thing I was looking for - though I expected to find it in the web.xml so maybe I was looking for the wrong thing... HTH, Mark Thank you for your suggestions - I will try them shortly in conjunction with Andre's. Lucky - I seemed to have bumped my mail just at the time all the experts are around :- Cheers :) Tim -- Tim Watts Tel (VOIP): +44 (0)1580 848360 Systems Manager Digital Humanities, King's College London Systems Messages and Notifications: https://systemsblog.cch.kcl.ac.uk/ Personal Blog: http://squiddy.blog.dionic.net/ A fanatic is one who can't change his mind and won't change the subject. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat 6 j_security_check, Apache ProxyPass and the Origin: header
On 18/01/2013 12:01, Tim Watts wrote: On 18/01/13 11:45, Mark Thomas wrote: On 18/01/2013 11:07, Tim Watts wrote: Anyone? Hi Mark, Tomcat doesn't give two hoots about the origin header. Curious - I wonder how me editing it helped? Unless it caused some knockon somewhere. Tomcat doesn't care about that header but if you are using some other framework to provide the authentication then it might. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
tomcat 6 j_security_check, Apache ProxyPass and the Origin: header
Hi, Is there a way to *tell* j_security_check that an Origin: header set (during the login POST request) to a remote server is permitted (and is not an XSS attack)? We have a tomcat server T running a tomcat webapp that uses j_security_check to auth users (Excuse me - I am not the tomcat programmer, I'm the sysadmin trying to help the programmer, so my terminology might be bad). Basically, http://T/webapp/jsp/login works OK On Server A running apache, we have a config: RewriteRule ^/jsp/(.*)$ http://T/webapp/jsp/$1 [P] (which is a ProxyPass - we have many rewrite rules so prefer to use RewriteRule for consistency) If we try to login to the tomcat webapp from http://A/jsp/login the POST request sends an Origin: header containing http:://A/... Tomcat seems not to like this as it realises that server A is not where it is running. I made it work with a disgraceful hack in the apache config: RequestHeader edit Origin http:\/\/A\/ http:\/\/T\/ early But now Tomcat can log us in but sends the wrong URI host in the Location: header when it replies with the 302 redirect. So I fix this with: Header edit Location http:\/\/T\/webapp\/jsp\/ http://A/jsp/ It works, but it is horrible and basically leaving a booby trap for the unwary. Many thanks, Tim -- Tim Watts - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org