tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: tomcat 6 j_security_check, Apache ProxyPass and the Origin: header
Date Fri, 18 Jan 2013 11:27:50 GMT
Tim Watts wrote:
> Anyone?
> 
> On 14/01/13 17:24, Watts, Timothy wrote:
>> Hi,
>>
>>
>>
>> Is there a way to *tell* j_security_check that an Origin: header set
>> (during the login POST request) to a remote server is permitted (and is
>> not an XSS attack)?
>>
>>
>>
>>
>> We have a tomcat server T running a tomcat webapp that uses
>> j_security_check to auth users
>>
>> (Excuse me - I am not the tomcat programmer, I'm the sysadmin trying to
>> help the programmer, so my terminology might be bad).
>>
>> Basically,
>>
>> http://T/webapp/jsp/login works OK
>>
>> On Server A running apache, we have a config:
>>
>> RewriteRule ^/jsp/(.*)$ http://T/webapp/jsp/$1 [P]
>>
>> (which is a ProxyPass - we have many rewrite rules so prefer to use
>> RewriteRule for consistency)
>>
>>
>> If we try to login to the tomcat webapp from
>>
>> http://A/jsp/login
>>
>> the POST request sends an Origin: header containing http:://A/...
>>
>> Tomcat seems not to like this as it realises that server A is not where
>> it is running.
>>
>> I made it work with a disgraceful hack in the apache config:
>>
>> RequestHeader edit Origin http:\/\/A\/ http:\/\/T\/ early
>>
>> But now Tomcat can log us in but sends the wrong URI host in the
>> Location: header when it replies with the 302 redirect. So I "fix" this
>> with:
>>
>> Header edit Location http:\/\/T\/webapp\/jsp\/ http://A/jsp/
>>

I don't know if this really helps or improves things, but the standard way of handling the

Location in redirects is via the ProxyPassReverse directive (which is probably more 
efficient here - and more easily understood - than the Header-edit).
The ProxyPassReverse directive should work whether you use ProxyPass or not.

I do not really understand the problem with the "Origin" header though.
Proxying from httpd to Tomcat (even with a differenr hostname) is a widely-used thing, and

I have never heard of this kind of issue before.
May be something specific to j_security_check, I just don't know.
If you stop editing the request headers, and forward the requests via ProxyPass, do you 
get this problem also ?
Maybe you should also look at ProxypassReverseCookieDomain ?



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message