Return-Path: 
 <users-return-48380-apmail-cxf-users-archive=cxf.apache.org@cxf.apache.org>
X-Original-To: apmail-cxf-users-archive@www.apache.org
Delivered-To: apmail-cxf-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id DF34F180C3
	for <apmail-cxf-users-archive@www.apache.org>;
 Wed, 19 Aug 2015 09:27:32 +0000 (UTC)
Received: (qmail 78583 invoked by uid 500); 19 Aug 2015 09:27:29 -0000
Delivered-To: apmail-cxf-users-archive@cxf.apache.org
Received: (qmail 78513 invoked by uid 500); 19 Aug 2015 09:27:29 -0000
Mailing-List: contact users-help@cxf.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@cxf.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@cxf.apache.org>
List-Post: <mailto:users@cxf.apache.org>
List-Id: <users.cxf.apache.org>
Reply-To: users@cxf.apache.org
Delivered-To: mailing list users@cxf.apache.org
Received: (qmail 78496 invoked by uid 99); 19 Aug 2015 09:27:28 -0000
Received: from Unknown (HELO spamd1-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 19 Aug 2015 09:27:28 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org)
 with ESMTP id 8963EDF1B9
	for <users@cxf.apache.org>; Wed, 19 Aug 2015 09:27:28 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -0.099
X-Spam-Level: 
X-Spam-Status: No, score=-0.099 tagged_above=-999 required=6.31
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
	URIBL_BLOCKED=0.001] autolearn=disabled
Authentication-Results: spamd1-us-west.apache.org (amavisd-new);
	dkim=pass (2048-bit key) header.d=gmail.com
Received: from mx1-us-west.apache.org ([10.40.0.8])
	by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new,
 port 10024)
	with ESMTP id Vo6ZOgANeZFu for <users@cxf.apache.org>;
	Wed, 19 Aug 2015 09:27:16 +0000 (UTC)
Received: from mail-wi0-f182.google.com (mail-wi0-f182.google.com
 [209.85.212.182])
	by mx1-us-west.apache.org (ASF Mail Server at mx1-us-west.apache.org) with
 ESMTPS id 93A9320757
	for <users@cxf.apache.org>; Wed, 19 Aug 2015 09:27:15 +0000 (UTC)
Received: by wibhh20 with SMTP id hh20so2396343wib.0
        for <users@cxf.apache.org>; Wed, 19 Aug 2015 02:27:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=message-id:date:from:user-agent:mime-version:to:subject:references
         :in-reply-to:content-type:content-transfer-encoding;
        bh=iDvYwxvILrGnc4MwOTRY8kY9lhyZqAOjqPxiGu5RmC0=;
        b=Frwim2SQ0OM5wYpF+3HhkcVXM5ppW4zN6PaCrvlI03YVSSXFw9vQIH59DOKogGd28N
         OGu6G1971S5/G3UxY6dkPfHrjK0Jg+dKZ2KycglzdouH0HPmLslznkjWjZK9FdC4tQ5j
         ewH27y9vq8JTDdBYd1WXn5Wv3NSIB8rfRql5xowVYPNOA8mfOmwPQSE9o9i4LKk+DnuD
         XMaQy0lnUjJQn1j1S5Y+JZAKgocjClRT0SOVmC09EawnYtpksVTgGcje4gPP6NM4Tqh4
         WSGGGXhqymzgEmDhvDycBaZk+3sJa6QVAcEbK0MQ6TdNrpCIRCztn66J2fXz0erutK5z
         NYig==
X-Received: by 10.180.90.65 with SMTP id bu1mr39568520wib.0.1439976434369;
        Wed, 19 Aug 2015 02:27:14 -0700 (PDT)
Received: from [192.168.2.4] ([89.100.27.122])
        by smtp.googlemail.com with ESMTPSA id
 ej5sm143929wjd.22.2015.08.19.02.27.13
        for <users@cxf.apache.org>
        (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 19 Aug 2015 02:27:13 -0700 (PDT)
Message-ID: <55D44BF1.8010507@gmail.com>
Date: Wed, 19 Aug 2015 10:27:13 +0100
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
 rv:31.0) Gecko/20100101 Thunderbird/31.8.0
MIME-Version: 1.0
To: users@cxf.apache.org
Subject: Re: HTTPS and WADL URLs...
References: 
 <CALznzY45yY8An1e6KjBFCnfqV+O3TqHTxvLk8U8jOsx8p3fhLA@mail.gmail.com>
 <55C4E095.3050507@gmail.com>
 <CALznzY6QGzj8_kp1OnZ3iQ2fDnWqr_L6aJCs8TwE684OeBo-mw@mail.gmail.com>
 <55C79CD3.3060302@gmail.com>
 <CALznzY5u-F6BR87OvLpbQUnnfVq5UgOqfi-4YjU2nL-8HNJ2RA@mail.gmail.com>
 <CALznzY7NjnDrLn+AootJfrvuD--+eLS9zyc_gdue-iEjuGAcmA@mail.gmail.com>
 <55D2F550.9060608@gmail.com>
 <CALznzY7vEkxjJC-azVhUPQbkUMMzeiMvxHFfCFV9hsXtFrOA_A@mail.gmail.com>
 <55D35B4B.7070507@gmail.com> <55D39491.3030009@gmail.com>
In-Reply-To: <55D39491.3030009@gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit

I recall now that one of the thoughts I had that if it is supported OOB 
then the servers that are not protected by the secure LB system can 
become affected by those headers, example, it can be HTTP but the 
headers can make the server believe it is HTTPS...

Sergey
On 18/08/15 21:24, Sergey Beryozkin wrote:
> perhaps others think it should be defaulted to true, obviously it is not
> written in stone (false). My thinking was, this is more likely to cause
> a surprise, hence it is disabled by default. It is an advanced case, so
> enabling supporting X-Forwarded-* is probably reasonable.
> if Aki, others, have some prefs then it can be reviewed of course
> thanks, Sergey
> On 18/08/15 17:20, Sergey Beryozkin wrote:
>> No idea about a downside. This is a rare case, talking about 80% vs 20%
>> here, it is also a non-standard HTTP header, hence IMHO having it
>> affecting what the application code sees (request URI, etc) is disabled
>> by default.
>>
>> Cheers, Sergey
>> On 18/08/15 17:16, James Carman wrote:
>>> Any reason we don't default that forwarded proto setting to true? Is
>>> there
>>> a downside?
>>> On Tue, Aug 18, 2015 at 5:05 AM Sergey Beryozkin <sberyozkin@gmail.com>
>>> wrote:
>>>
>>>> Hi James
>>>>
>>>> Thanks for spotting it, I recall now we fixed it by supporting the init
>>>> prefix property which should be recognized by pax-*:
>>>>
>>>> https://issues.apache.org/jira/browse/CXF-6292
>>>>
>>>> and
>>>>
>>>>
>>>> https://git1-us-west.apache.org/repos/asf?p=cxf.git;a=blobdiff;f=rt/transports/http/src/main/resources/OSGI-INF/blueprint/osgiservlet.xml;h=99481fc7e18a05d179cc42035717adbdd89dbdae;hp=b08dbd5209f3a550188887f34e9c235780c0c121;hb=ed2196b4;hpb=566787ec5cc6b9519e575df6434e212ff384c85a
>>>>
>>>>
>>>>
>>>> Setting it to "init." will likely affect CXF OSGI users who are not
>>>> depending on pax web components which expect the init prefixes.
>>>>
>>>> Can you try the configurable init prefix property and close the pull if
>>>> it works for you ?
>>>>
>>>> Thanks, Sergey
>>>>
>>>> On 18/08/15 04:38, James Carman wrote:
>>>>> Oh, and I created a JIRA also:
>>>>>
>>>>> https://issues.apache.org/jira/browse/CXF-6547
>>>>>
>>>>>
>>>>>
>>>>> On Mon, Aug 17, 2015 at 11:37 PM James Carman <
>>>> james@carmanconsulting.com>
>>>>> wrote:
>>>>>
>>>>>> Sergey,
>>>>>>
>>>>>> I have created a pull request to fix this issue in OSGi:
>>>>>>
>>>>>> https://github.com/apache/cxf/pull/82
>>>>>>
>>>>>> The issue is that PAX Web changed the init-param detection so that
>>>> service
>>>>>> properties must include a prefix in order to be considered to be an
>>>>>> init-param (ask Achim, he did it :).  Anyway, merely adding "init."
>>>> before
>>>>>> all the params makes them show up.
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> James
>>>>>>
>>>>>> On Sun, Aug 9, 2015 at 2:33 PM Sergey Beryozkin
>>>>>> <sberyozkin@gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi
>>>>>>>
>>>>>>> I signed off after the 1st reply...
>>>>>>> Is there a chance you can set a breakpoint in
>>>>>>>
>>>>>>>
>>>>>>>
>>>> https://fisheye6.atlassian.com/browse/cxf/rt/transports/http/src/main/java/org/apache/cxf/transport/servlet/AbstractHTTPServlet.java?r=f5655d81ea6a880cf6b8b1cdcabddf1cd4dbe869#to297
>>>>
>>>>
>>>>>>>
>>>>>>> ?
>>>>>>>
>>>>>>> I can try a basic test a bit later on too,
>>>>>>>
>>>>>>> Cheers, Sergey
>>>>>>> On 07/08/15 18:40, James Carman wrote:
>>>>>>>> On Fri, Aug 7, 2015 at 12:46 PM Sergey Beryozkin <
>>>> sberyozkin@gmail.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> CXFServlet has a "use-x-forwarded-headers" boolean parameter,
>>>>>>>>> if it
>>>> is
>>>>>>>>> set to true then CXFServlet will check X-FORWARDED-PROTO, I recall
>>>>>>>>> adding the code to support something similar, can you try it, I
>>>>>>>>> think
>>>>>>>>> ELB should have these headers set when forwarding
>>>>>>>>>
>>>>>>>>
>>>>>>>> Sergey,
>>>>>>>>
>>>>>>>> Thanks for the tip!  I'm setting it up in Karaf and have verified
>>>>>>>> that
>>>>>>> the
>>>>>>>> config is there:
>>>>>>>>
>>>>>>>> config:list "(service.pid=org.apache.cxf.osgi)"
>>>>>>>> ----------------------------------------------------------------
>>>>>>>> Pid:            org.apache.cxf.osgi
>>>>>>>> BundleLocation: mvn:org.apache.cxf/cxf-rt-transports-http/3.0.5
>>>>>>>> Properties:
>>>>>>>>       felix.fileinstall.filename =
>>>>>>>> file:/opt/aetos/etc/org.apache.cxf.osgi.cfg
>>>>>>>>       org.apache.cxf.servlet.context = /services
>>>>>>>>       org.apache.cxf.servlet.use-x-forwarded-headers = true
>>>>>>>>       service.pid = org.apache.cxf.osgi
>>>>>>>>
>>>>>>>> My WADL still has "http" links in it, even though I see these
>>>>>>>> headers
>>>>>>> when
>>>>>>>> I request the WADL:
>>>>>>>>
>>>>>>>> X-Forwarded-For=[X.X.X.X], X-Forwarded-Port=[443],
>>>>>>> X-Forwarded-Proto=[https]
>>>>>>>>
>>>>>>>> Can you think of anything I'm missing?  Could it be that just the
>>>>>>>> WADL
>>>>>>> is
>>>>>>>> borked, but usage of UrlInfo in my JAX-RS resources will work fine?
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Sergey Beryozkin
>>>>>>>
>>>>>>> Talend Community Coders
>>>>>>> http://coders.talend.com/
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Sergey Beryozkin
>>>>
>>>> Talend Community Coders
>>>> http://coders.talend.com/
>>>>
>>>
>>
>>
>
>


-- 
Sergey Beryozkin

Talend Community Coders
http://coders.talend.com/