Good day
Pax-web-undertow 7.3.3 ignores the proxy-address-forwarding attribute and
org.osgi.service.http.checkForwardedHeaders
property.
As a result non of the X-Forwarded headers are applied to the http request
in scenarios where SSL is offloaded using a load balancer.
This in turn causes the java keycloak adapter to formulate incorrect
redirect_uri's and breaks the standard OIDC flow.
We are running pax-web-undertow as part of the Redhat JBoss Fuse 7.4.0
distribution.
I applied a fix to the web-7.3.3 tag and have tested it successfully in our
environment. Find attached my changes for possible inclusion in
an upcoming 7.3.x release.
Hannes
--
--
------------------
OPS4J - http://www.ops4j.org - [email protected]
---
You received this message because you are subscribed to the Google Groups
"OPS4J" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ops4j/f380a9e8-e944-4c4c-b959-a1c43c77f5d1%40googlegroups.com.
diff --git a/pax-web-undertow/src/main/java/org/ops4j/pax/web/service/undertow/internal/configuration/model/Server.java b/pax-web-undertow/src/main/java/org/ops4j/pax/web/service/undertow/internal/configuration/model/Server.java
index ecb1c86..0c9dbd1 100644
--- a/pax-web-undertow/src/main/java/org/ops4j/pax/web/service/undertow/internal/configuration/model/Server.java
+++ b/pax-web-undertow/src/main/java/org/ops4j/pax/web/service/undertow/internal/configuration/model/Server.java
@@ -263,6 +263,8 @@ public class Server {
//<xs:attribute name="certificate-forwarding" use="optional" type="xs:string" default="false">
//<xs:attribute name="redirect-socket" use="optional" type="xs:string">
//<xs:attribute name="proxy-address-forwarding" use="optional" type="xs:string" default="false">
+ @XmlAttribute(name = "proxy-address-forwarding")
+ private String proxyAddressForwarding;
//<xs:attribute name="enable-http2" use="optional" type="xs:string">
//<xs:attribute name="http2-enable-push" type="xs:boolean" use="optional" />
//<xs:attribute name="http2-header-table-size" type="xs:int" use="optional" />
@@ -280,6 +282,14 @@ public class Server {
this.redirectSocket = redirectSocket;
}
+ public String getProxyAddressForwarding() {
+ return proxyAddressForwarding;
+ }
+
+ public void setProxyAddressForwarding(String proxyAddressForwarding) {
+ this.proxyAddressForwarding = proxyAddressForwarding;
+ }
+
@Override
public String toString() {
final StringBuilder sb = new StringBuilder("{ ");
@@ -297,6 +307,7 @@ public class Server {
sb.append(", url charset: ").append(urlCharset);
sb.append(", secure: ").append(secure);
sb.append(", redirect socket: ").append(redirectSocket);
+ sb.append(", proxy address forwarding: ").append(proxyAddressForwarding);
sb.append(" }");
return sb.toString();
}
@@ -318,6 +329,8 @@ public class Server {
private List<String> enabledProtocols = new ArrayList<>();
//<xs:attribute name="certificate-forwarding" use="optional" type="xs:string" default="false">
//<xs:attribute name="proxy-address-forwarding" use="optional" type="xs:string" default="false">
+ @XmlAttribute(name = "proxy-address-forwarding")
+ private String proxyAddressForwarding;
//<xs:attribute name="enable-http2" use="optional" type="xs:string">
//<xs:attribute name="enable-spdy" use="optional" type="xs:string">
//<xs:attribute name="ssl-session-cache-size" use="optional" type="xs:string"/>
@@ -362,6 +375,14 @@ public class Server {
return enabledProtocols;
}
+ public String getProxyAddressForwarding() {
+ return proxyAddressForwarding;
+ }
+
+ public void setProxyAddressForwarding(String proxyAddressForwarding) {
+ this.proxyAddressForwarding = proxyAddressForwarding;
+ }
+
@Override
public String toString() {
final StringBuilder sb = new StringBuilder("{ ");
@@ -382,6 +403,7 @@ public class Server {
sb.append(", verify client: ").append(verifyClient);
sb.append(", enabled cipher suites: ").append(enabledCipherSuites);
sb.append(", enabled protocols: ").append(enabledProtocols);
+ sb.append(", proxy address forwarding: ").append(proxyAddressForwarding);
sb.append(" }");
return sb.toString();
}
diff --git a/pax-web-undertow/src/main/java/org/ops4j/pax/web/service/undertow/internal/ServerControllerImpl.java b/pax-web-undertow/src/main/java/org/ops4j/pax/web/service/undertow/internal/ServerControllerImpl.java
index be2fc8c..b224e24 100644
--- a/pax-web-undertow/src/main/java/org/ops4j/pax/web/service/undertow/internal/ServerControllerImpl.java
+++ b/pax-web-undertow/src/main/java/org/ops4j/pax/web/service/undertow/internal/ServerControllerImpl.java
@@ -117,6 +117,7 @@ import io.undertow.server.handlers.PathHandler;
import io.undertow.server.handlers.accesslog.AccessLogHandler;
import io.undertow.server.handlers.accesslog.AccessLogReceiver;
import io.undertow.server.handlers.accesslog.DefaultAccessLogReceiver;
+import io.undertow.server.handlers.ProxyPeerAddressHandler;
/**
* @author Guillaume Nodet
@@ -390,6 +391,10 @@ public class ServerControllerImpl implements ServerController, ServerControllerE
}
}
+ if (configuration.checkForwardedHeaders()) {
+ rootHandler = new ProxyPeerAddressHandler(rootHandler);
+ }
+
return rootHandler;
}
@@ -580,6 +585,12 @@ public class ServerControllerImpl implements ServerController, ServerControllerE
}
}
+ if ((http != null && Boolean.parseBoolean(http.getProxyAddressForwarding())) ||
+ (https != null && Boolean.parseBoolean(https.getProxyAddressForwarding()))) {
+
+ rootHandler = new ProxyPeerAddressHandler(rootHandler);
+ }
+
// global filters (subsystem/filters/response-header and subsystem/filters/filter)
if (cfg.getSubsystem().getServer().getHost() != null) {
for (Server.Host.FilterRef fr : cfg.getSubsystem().getServer().getHost().getFilterRef()) {
