Thanks - Tobias this did the trick
Configured felix to run on ssl (using a cert signed by our internal ca)
and pointed Apache (which already had a Thawte cert) to proxy the ssl
and all worked.
D
On 02/14/2012 09:52 PM, Tobias Wunden wrote:
Stephen,
thank you for the clarification. I am wondering why mod_proxy would change the https into
an http. Maybe you want to set up two vhost definitions in Apache one for http and one
for https. Felix can listen to https requests as well, a look into the Felix
documentation should clarify that quickly [1], there are a couple of configuration keys
starting with "org.apache.felix.https".
From my understanding, this should make sure that in spring security, the
request url *does* contain the https as the protocol. One problem could be the
matching of organizations in multi tenancy setups, which if I recall correctly,
includes the protocol.
Does that help you move forward?
Tobias
[1] http://felix.apache.org/site/apache-felix-http-service.html
On 14.02.2012, at 19:24, Stephen Marquard wrote:
The http://.../lti is the launch URL for the LTI tool.
An LTI consumer does a POST to that URL with a bunch of parameters and
a signature, which is calculated as an oauth hash of the parameters and
launch URL.
The problem is that if the launch URL is https://..../lti then the
signature is calculated by the LTI consumer (in the LMS) to include the
https:// variant of the URL, whereas on the Matterhorn side,
because Matterhorn itself is unaware that the request is sent to an
https URL (because it has an apache in front of it with mod_proxy), it
calculates the signature using the http://.../lti form of the URL, and
hence the signatures no longer match because they're calculated on a
different set of items.
So the question is how can Spring security know that in this case it's
actually being invoked as an https URL rather than http.
Cheers
Stephen
--
Stephen Marquard, Acting Director
Centre for Educational Technology, University of Cape Town
http://www.cet.uct.ac.za
Email / IM (Jabber/XMPP): [email protected]
Phone: +27-21-650-5037 Cell: +27-83-500-5290
Tobias Wunden<[email protected]> 2/14/2012 5:51 PM>>>
Hi David,
where exactly did you find the "http://.../lti";?
Tobias
On 14.02.2012, at 11:09, David Horwitz wrote:
Hi All,
I'm looking into a problem we're seeing in LTI if you set it to
connect via ssl which causes the signature to fail.
The setup looks like this:
client -> ssl to apache -> mod_proxy http -> matterhorn
This causes the oauth key to fail but connecting to apache via http
seems to work. Looking in the spring methods it seems that the resource
name is set to something like "http://matterhornsers/lti"; and which of
course doesn't match the request path. Is there any way of overriding
this?
Thanks
D
_______________________________________________
Matterhorn mailing list
[email protected]
http://lists.opencastproject.org/mailman/listinfo/matterhorn
To unsubscribe please email
[email protected]
_______________________________________________
_______________________________________________
Matterhorn mailing list
[email protected]
http://lists.opencastproject.org/mailman/listinfo/matterhorn
To unsubscribe please email
[email protected]
_______________________________________________
###
UNIVERSITY OF CAPE TOWN
This e-mail is subject to the UCT ICT policies and e-mail disclaimer
published on our website at
http://www.uct.ac.za/about/policies/emaildisclaimer/ or obtainable from
+27 21 650 9111. This e-mail is intended only for the person(s) to whom
it is addressed. If the e-mail has reached you in error, please notify
the author. If you are not the intended recipient of the e-mail you may
not use, disclose, copy, redirect or print the content. If this e-mail
is not related to the business of UCT it is sent by the sender in the
sender's individual capacity.
###
_______________________________________________
Matterhorn mailing list
[email protected]
http://lists.opencastproject.org/mailman/listinfo/matterhorn
To unsubscribe please email
[email protected]
_______________________________________________
_______________________________________________
Matterhorn mailing list
[email protected]
http://lists.opencastproject.org/mailman/listinfo/matterhorn
To unsubscribe please email
[email protected]
_______________________________________________
_______________________________________________
Matterhorn mailing list
[email protected]
http://lists.opencastproject.org/mailman/listinfo/matterhorn
To unsubscribe please email
[email protected]
_______________________________________________
