tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Watts <>
Subject tomcat 6 j_security_check, Apache ProxyPass and the Origin: header
Date Mon, 14 Jan 2013 17:24:41 GMT

Is there a way to *tell* j_security_check that an Origin: header set 
(during the login POST request) to a remote server is permitted (and is 
not an XSS attack)?

We have a tomcat server T running a tomcat webapp that uses 
j_security_check to auth users

(Excuse me - I am not the tomcat programmer, I'm the sysadmin trying to 
help the programmer, so my terminology might be bad).


http://T/webapp/jsp/login works OK

On Server A running apache, we have a config:

RewriteRule ^/jsp/(.*)$ http://T/webapp/jsp/$1 [P]

(which is a ProxyPass - we have many rewrite rules so prefer to use 
RewriteRule for consistency)

If we try to login to the tomcat webapp from


the POST request sends an Origin: header containing http:://A/...

Tomcat seems not to like this as it realises that server A is not where 
it is running.

I made it work with a disgraceful hack in the apache config:

RequestHeader edit Origin http:\/\/A\/ http:\/\/T\/ early

But now Tomcat can log us in but sends the wrong URI host in the 
Location: header when it replies with the 302 redirect. So I "fix" this 

Header edit Location http:\/\/T\/webapp\/jsp\/ http://A/jsp/

It works, but it is horrible and basically leaving a booby trap for the 

Many thanks,


Tim Watts

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message