tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Watts <tim.j.wa...@kcl.ac.uk>
Subject Re: tomcat 6 j_security_check, Apache ProxyPass and the Origin: header
Date Fri, 18 Jan 2013 11:07:34 GMT
Anyone?

On 14/01/13 17:24, Watts, Timothy wrote:
> Hi,
>
>
>
> Is there a way to *tell* j_security_check that an Origin: header set
> (during the login POST request) to a remote server is permitted (and is
> not an XSS attack)?
>
>
>
>
> We have a tomcat server T running a tomcat webapp that uses
> j_security_check to auth users
>
> (Excuse me - I am not the tomcat programmer, I'm the sysadmin trying to
> help the programmer, so my terminology might be bad).
>
> Basically,
>
> http://T/webapp/jsp/login works OK
>
> On Server A running apache, we have a config:
>
> RewriteRule ^/jsp/(.*)$ http://T/webapp/jsp/$1 [P]
>
> (which is a ProxyPass - we have many rewrite rules so prefer to use
> RewriteRule for consistency)
>
>
> If we try to login to the tomcat webapp from
>
> http://A/jsp/login
>
> the POST request sends an Origin: header containing http:://A/...
>
> Tomcat seems not to like this as it realises that server A is not where
> it is running.
>
> I made it work with a disgraceful hack in the apache config:
>
> RequestHeader edit Origin http:\/\/A\/ http:\/\/T\/ early
>
> But now Tomcat can log us in but sends the wrong URI host in the
> Location: header when it replies with the 302 redirect. So I "fix" this
> with:
>
> Header edit Location http:\/\/T\/webapp\/jsp\/ http://A/jsp/
>
>
> It works, but it is horrible and basically leaving a booby trap for the
> unwary.
>
>
> Many thanks,
>
> Tim
>


-- 
Tim Watts                               Tel (VOIP): +44 (0)1580 848360
Systems Manager              Digital Humanities, King's College London

Systems Messages and Notifications: https://systemsblog.cch.kcl.ac.uk/
Personal Blog:                         http://squiddy.blog.dionic.net/

"A fanatic is one who can't change his mind and won't change the subject."


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message