Stephen, thank you for the clarification. I am wondering why mod_proxy would change the https into an http. Maybe you want to set up two vhost definitions in Apache one for http and one for https. Felix can listen to https requests as well, a look into the Felix documentation should clarify that quickly [1], there are a couple of configuration keys starting with "org.apache.felix.https".
>From my understanding, this should make sure that in spring security, the >request url *does* contain the https as the protocol. One problem could be the >matching of organizations in multi tenancy setups, which if I recall >correctly, includes the protocol. Does that help you move forward? Tobias [1] http://felix.apache.org/site/apache-felix-http-service.html On 14.02.2012, at 19:24, Stephen Marquard wrote: > The http://.../lti is the launch URL for the LTI tool. > > An LTI consumer does a POST to that URL with a bunch of parameters and > a signature, which is calculated as an oauth hash of the parameters and > launch URL. > > The problem is that if the launch URL is https://..../lti then the > signature is calculated by the LTI consumer (in the LMS) to include the > https:// variant of the URL, whereas on the Matterhorn side, > because Matterhorn itself is unaware that the request is sent to an > https URL (because it has an apache in front of it with mod_proxy), it > calculates the signature using the http://.../lti form of the URL, and > hence the signatures no longer match because they're calculated on a > different set of items. > > So the question is how can Spring security know that in this case it's > actually being invoked as an https URL rather than http. > > Cheers > Stephen > > > -- > Stephen Marquard, Acting Director > Centre for Educational Technology, University of Cape Town > http://www.cet.uct.ac.za > Email / IM (Jabber/XMPP): [email protected] > Phone: +27-21-650-5037 Cell: +27-83-500-5290 > > >>>> Tobias Wunden <[email protected]> 2/14/2012 5:51 PM >>> > Hi David, > > where exactly did you find the "http://.../lti";? > > Tobias > > On 14.02.2012, at 11:09, David Horwitz wrote: > >> Hi All, >> >> I'm looking into a problem we're seeing in LTI if you set it to > connect via ssl which causes the signature to fail. >> >> The setup looks like this: >> >> client -> ssl to apache -> mod_proxy http -> matterhorn >> >> This causes the oauth key to fail but connecting to apache via http > seems to work. Looking in the spring methods it seems that the resource > name is set to something like "http://matterhornsers/lti"; and which of > course doesn't match the request path. Is there any way of overriding > this? >> >> >> Thanks >> >> D >> >> _______________________________________________ >> Matterhorn mailing list >> [email protected] >> http://lists.opencastproject.org/mailman/listinfo/matterhorn >> >> >> To unsubscribe please email >> [email protected] >> _______________________________________________ > > _______________________________________________ > Matterhorn mailing list > [email protected] > http://lists.opencastproject.org/mailman/listinfo/matterhorn > > > To unsubscribe please email > [email protected] > _______________________________________________ > > > > > > > ### > > UNIVERSITY OF CAPE TOWN > > This e-mail is subject to the UCT ICT policies and e-mail disclaimer > published on our website at > http://www.uct.ac.za/about/policies/emaildisclaimer/ or obtainable from > +27 21 650 9111. This e-mail is intended only for the person(s) to whom > it is addressed. If the e-mail has reached you in error, please notify > the author. If you are not the intended recipient of the e-mail you may > not use, disclose, copy, redirect or print the content. If this e-mail > is not related to the business of UCT it is sent by the sender in the > sender's individual capacity. > > ### > > > _______________________________________________ > Matterhorn mailing list > [email protected] > http://lists.opencastproject.org/mailman/listinfo/matterhorn > > > To unsubscribe please email > [email protected] > _______________________________________________ _______________________________________________ Matterhorn mailing list [email protected] http://lists.opencastproject.org/mailman/listinfo/matterhorn To unsubscribe please email [email protected] _______________________________________________
