tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Watts <>
Subject Re: tomcat 6 j_security_check, Apache ProxyPass and the Origin: header
Date Fri, 18 Jan 2013 11:54:22 GMT
On 18/01/13 11:27, André Warnier wrote:

> I don't know if this really helps or improves things, but the standard way of handling
> Location in redirects is via the ProxyPassReverse directive (which is probably more
> efficient here - and more easily understood - than the Header-edit).
> The ProxyPassReverse directive should work whether you use ProxyPass or not.

Hi Andre,

Yes - I agree about ProxyPassReverse - that likely would fix the 
redirect incorrectness.

> I do not really understand the problem with the "Origin" header though.
> Proxying from httpd to Tomcat (even with a differenr hostname) is a widely-used thing,
> I have never heard of this kind of issue before.
> May be something specific to j_security_check, I just don't know.
> If you stop editing the request headers, and forward the requests via ProxyPass, do you
> get this problem also ?

I will try -

A RewriteRule .. .. [P] should be equivalent to a ProxyPass, but just in 
case there is a subtle difference I will give it a try.

I prefer the rewrite rules as there are a bunch of them for other 
reasons and not mixing RewriteRule with ProxyPass makes it very clear 
what order they are being actioned (which is important).

Re: j_security_check: I have see a load of issues reported that match 
this problem - usually the person reports a 408 error and everyone piles 
in and tries to "solve" that with increasing timeout settings.

the 408 is clearly erroneous - and having "fixed" it myself by editing 
the Origin header, that's clearly the causal factor.

Oddly enough, I did my usual trick of downloading the source code (for 
tomcat 6) and doing a recursive grep for any mention of the Origin: 
header. I found nothing! Which makes me wonder if the problem originates 
in a generic Java library???

The whole damn thing is so poorly documented (or at least all I could 
find was a document on who to enable auth checking) that I'm not able to 
tell if there are some options that I *could* be setting in the web.xml 
or somewhere.

It seems reasonable that it might whine about a cross-site auth effort, 
but equally there should be a way to explicitly permit that, at least 
for a named VHOST. As you say, proxying is very common - for load 
balancing if nothing else.

I'll go and try your suggestions -

Thanks :)


> Maybe you should also look at ProxypassReverseCookieDomain ?
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

Tim Watts                               Tel (VOIP): +44 (0)1580 848360
Systems Manager              Digital Humanities, King's College London

Systems Messages and Notifications:
Personal Blog:               

"She got her looks from her father. He's a plastic surgeon."

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message