tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: tomcat 6 j_security_check, Apache ProxyPass and the Origin: header
Date Fri, 18 Jan 2013 11:45:01 GMT
On 18/01/2013 11:07, Tim Watts wrote:
> Anyone?

Tomcat doesn't give two hoots about the origin header. It does care
about the Host header.

It is hard to tell exactly what is going wrong from your post but you
may need one or more of the following:

http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypreservehost
Set this to on

Set proxyName="A" anf proxyPort="80" on the connector in server.xml

HTH,

Mark

> 
> On 14/01/13 17:24, Watts, Timothy wrote:
>> Hi,
>>
>>
>>
>> Is there a way to *tell* j_security_check that an Origin: header set
>> (during the login POST request) to a remote server is permitted (and is
>> not an XSS attack)?
>>
>>
>>
>>
>> We have a tomcat server T running a tomcat webapp that uses
>> j_security_check to auth users
>>
>> (Excuse me - I am not the tomcat programmer, I'm the sysadmin trying to
>> help the programmer, so my terminology might be bad).
>>
>> Basically,
>>
>> http://T/webapp/jsp/login works OK
>>
>> On Server A running apache, we have a config:
>>
>> RewriteRule ^/jsp/(.*)$ http://T/webapp/jsp/$1 [P]
>>
>> (which is a ProxyPass - we have many rewrite rules so prefer to use
>> RewriteRule for consistency)
>>
>>
>> If we try to login to the tomcat webapp from
>>
>> http://A/jsp/login
>>
>> the POST request sends an Origin: header containing http:://A/...
>>
>> Tomcat seems not to like this as it realises that server A is not where
>> it is running.
>>
>> I made it work with a disgraceful hack in the apache config:
>>
>> RequestHeader edit Origin http:\/\/A\/ http:\/\/T\/ early
>>
>> But now Tomcat can log us in but sends the wrong URI host in the
>> Location: header when it replies with the 302 redirect. So I "fix" this
>> with:
>>
>> Header edit Location http:\/\/T\/webapp\/jsp\/ http://A/jsp/
>>
>>
>> It works, but it is horrible and basically leaving a booby trap for the
>> unwary.
>>
>>
>> Many thanks,
>>
>> Tim
>>
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message