I have basic configuration for Spring SEcurity. The logout button works perfectly fine over HTTP but problem appears when dealing with HTTPS. My security config looks like this:
<http use-expressions="true" auto-config="false" entry-point-ref="http403EntryPoint"
access-denied-page="/accessDenied">
<intercept-url pattern="/**" access="hasRole('AA_ACCESS')" requires-channel="any"/>
<custom-filter position="PRE_AUTH_FILTER" ref="siteminderFilter"/>
<session-management>
<concurrency-control max-sessions="1" expired-url="/sessionExpired"/>
</session-management>
<logout invalidate-session="true" delete-cookies="JSESSIONID"/>
</http>
The logout button:
Logout
As I said, everything works fine over HTTP, but not HTTPS.
I get error 404 Page not found. Ports the app is running is: 11501 for JBoss AS, while HTTPS is Apache with ajp connector to JBoss, apache is 16000, ajp 8009.
Luke Taylor was right. It's not Spring Secuiry issue. Remember kids, check everything twice after your colleagues. In my case, Apache VirtualHost was wrongly configured:
<VirtualHost *:11600>
ServerName localhost
DocumentRoot "/apache/htdocs/aa"
SSLEngine on
SSLCertificateFile "/apache/conf/server.crt"
SSLCertificateKeyFile "/apache/conf/server.key"
ProxyPass /admin ajp://localhost:8009/admin/ <--- HERE
<Directory "/apache/htdocs/aa">
DirectoryIndex index.html
AllowOverride All
Order allow,deny
Allow from all
</Directory>
ErrorLog "logs/error_log"
CustomLog "logs/access_log" common
LogLevel debug
</VirtualHost>
Notice additional slash at the end of ProxyPass, that was the problem
Not sure why it works on http so i dont know if this will help but you can try to set the logout-success-url on the logout configuration, in case that the 404 error is due to a missing page where you are redirected after the logout is complete.
http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#nsa-logout
Related
I have configured apache to redirect HTTPS reqests to the local running application server PUMA. PUMA is part of the Ruby on Rails framework.
<IfModule mod_ssl.c>
<VirtualHost *:443>
ProxyPass / http://localhost:3000/
ProxyPassReverse / http://localhost:3000/
Puma Server is listening on http://localhost:3000/
When I access this apache web site from a browser I get: Too many redirections.
And idea?
I had the same issue. Try to add after your Proxy:
RequestHeader set X-Forwarded-Proto https to your ...ssl.conf which is in sites-available folder.
I had same issue, I was trying to setup a SSL termination reverse proxy with apache. I followed this article.
Using 0.0.0.0 instead of localhost worked for me.
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName exemple.com
SSLCertificateFile /path/fullchain.pem
SSLCertificateKeyFile /path/privkey.pem
ProxyPass / http://0.0.0.0:80/
ProxyPassReverse / http://0.0.0.0:80/
</VirtualHost>
</IfModule>
I have an environment with Oracle WebLogic and OHS running.
In the mod_wl_ohs.conf I have following (beside config for other applications)
<Location /application1>
SetHandler weblogic-handler
WLLogFile /opt/logs/ application1.log
Debug OFF
WebLogicHost 127.0.0.1
WebLogicPort 23666
</Location>
This works fine the and the server listening to 23666 with the actual application1 application is handling the requests like “http://example.com/application1/*” .
Now I would like to redirect all requests for specific URL pattern to a different domain (not necessary on the same server), but continuing handling all requests others.
Redirect: http://example.com/application1/MagicKeyword/*
continue on: http://example.com/application1/NotTheKeyword* or http://example.com/application1/AlsoNotKeyword/*
What is the right approach for that?
I played around with some mod_rewrite rules, it seems they don’t take affect or break everything (in httpd.conf). I was also reading that we should not use mod_rewrite rules inside of location tag (can't find the reference now).
What else can I do?
Edit: So finally I found my error (somehow wrong syntax which not prevented the server from starting (like usual).
So I could:
in httpd.conf
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule "(.*)/application1/MagicKeyword/(.*)$" "https://www.example.org" [NC,L,R=301]
</IfModule>
or in the Location tag add:
RewriteEngine On
RewriteRule "(.*)/MagicKeyword/(.*)$" "https://www.example.org" [NC,L,R=301]
Why should I prefer one over the other?
Is there anything to concern about?
Two other options you can consider. You can use the order of location tags:
<Location /application1/MagicKeyword>
WebLogicHost otherhost
</Location>
<Location /application1>
WebLogicHost 127.0.0.1
</Location>
You can tell WebLogic to exclude a path (see https://docs.oracle.com/middleware/1212/webtier/PLGWL/plugin_params.htm#PLGWL473):
<Location /application1>
WebLogicHost 127.0.0.1
WLExcludePathOrMimeType /application1/MagicKeyword
</Location>
<Location /application1>
WebLogicHost otherhost
</Location>
I have installed tuleap on centos 6.7 and having trouble to properly configure tuleap in following scenario. I have gone though the documentation and mailing list archives but didn't find the solution.
have ubuntu server with static ip address XXX.XXX.XXX.XXX accessible from outside
on the above server I have installed virtualbox and installed centos 6.7 + tuleap (local ip address YYY.YYY.YYY.YYY which is accessible from above ubuntu server only)
I have setup ProxyPass and ProxyPassReverse on ubuntu server which works fine:
ProxyPass / https://YYY.YYY.YYY.YYY/
ProxyPassReverse / https://YYY.YYY.YYY.YYY/
All features are working fine except when I try to upload the files. I see two issues:
When I try to upload file in "Document", I see below messages:
“Permissions successfully updated.
Document successfully created.
Error while creating initial version.”
But when I check apache error log I see that Docman_FileStorage.class.php tries to create file in the root directory i.e. something like /testproject/3/6/36/1 and hence get permission denied error. I am checking local.inc file but wondering where I have to set base path for storing documents?
I see another issue while attaching file to wiki pages. When I hit “Upload” button, the url mysite.domain.com get transferred to YYY.YYY.YYY.YYY ip address! BUT as the YYY.YYY.YYY.YYY is virtual machine ip address and not accessible from outside, I get page not found error. Could you tell me what might be missing? My proxy-pass apache setting looks like:
<VirtualHost *:80>
ServerName mysite.domain.com
ServerAlias *.mysite.domain.com
ProxyRequests off
ProxyPreserveHost off
SSLProxyEngine On
SSLProxyVerify none
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / https://YYY.YYY.YYY.YYY/
ProxyPassReverse / https://YYY.YYY.YYY.YYY/
</VirtualHost>
# Listen 443
<VirtualHost mysite.domain.com:443>
ServerName mysite.domain.com
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
SSLEngine On
SSLProxyVerify none
SSLProxyEngine On
SSLCertificateFile /etc/apache2/ssl/my.crt
SSLCertificateKeyFile /etc/apache2/ssl/my.key
ProxyRequests off
ProxyPreserveHost off
ProxyPass / https://YYY.YYY.YYY.YYY/
ProxyPassReverse / https://YYY.YYY.YYY.YYY/
</VirtualHost>
Any help to solve above issues will be appreciated.
Thanks!
I would suggest to look at selinux first.
Please try to run setenforce 0 on the centos box and try to create documents again. If that solve the problem, set selinux to permissive.
On port 80 I have normal apache web server.
On port 8080 I have tomcat with client and server side stuff.
My goal is:
www.mydomain.com renders a static and SEO friendly index.html while javascript stuff is loading.
In the header of this index.html I load www.mydomain.com:8080/myapp/stuff.js
stuff.js is compiled with gwt and calls a RootLayoutPanel.get().add(nice_panel) which will remove static content and show dynamic widgets. It also calls servlets (server side code).
Problem: for security reasons, browsers wont let me load www.mydomain.com:8080/myapp/stuff.js because it is on a different port.
Wrong attempt: I tried to create a symlink from "normal" apache web server directory to the tomcat webapp containing stuff.js. I am now able to load stuff.js because its url is: www.mydomain.com/mysymlink_to_tomcat/stuff.js. But stuff.js is not able anymore to call servlets on server side again because of browsers security rules ("XMLHttpRequest cannot load ... origin ...is not allowed by Access-Control-Allow-Origin").
I would like to avoid the "crazy" solution of redirect from index.html to tomcat with header('location: http://mydomain.com:8080/another_index_on_tomcat.html'). This solution works but it has many drawbacks (SEO...)
What would be the best approach ?
Thanks.
You have basically two solutions:
make it work with the 2 origins: use the xsiframe linker in GWT to allow the page on :80 to load the script from :8080 (for readers: it's not about loading, it's about what the script does).
Add the following to your `gwt.xml:
<add-linker name='xsiframe' />
That unfortunately won't solve your issue with GWT-RPC (o whatever you use to talk to the server). For that, there's CORS.
use a single origin: use Apache's mod_proxy (or mod_jk) to proxy your Tomcat through your Apache. Nobody will ever use :8080, everything will go through :80. See Using Tomcat with Apache HTTPD and a proxy at https://developers.google.com/web-toolkit/doc/latest/DevGuideServerCommunication#DevGuideRPCDeployment
And of course there's also the solution of ditching the HTTPD and serving everything with Tomcat (recent Java and Tomcat versions have fixed their slowness issues).
I'm not sure if this would avoid the security error, but you could try an iframe. On apache, you have the index and an iframe to the tomcat, where the JS loads inside the iframe. Dunno if that will help with the SEO problem.
The best solution would be to redirect the port 80 calls to 8080 on apache when the client call is asking for a tomcat application.
Install mod_jk on apache and configure it to mount a context on the path you want
example: (edit /mods_enabled/jk.conf)
# Configure access to jk-status and jk-manager
# If you want to make this available in a virtual host,
# either move this block into the virtual host
# or copy it logically there by including "JkMountCopy On"
# in the virtual host.
# Add an appropriate authentication method here!
<Location /jk-status>
# Inside Location we can omit the URL in JkMount
JkMount jk-status
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Location>
<Location /jk-manager>
# Inside Location we can omit the URL in JkMount
JkMount jk-manager
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Location>
JkMount /*/myAppDir/* ajp13
Then add a virtual host in your site settings (edit /apache2/sites-enabled/)
<VirtualHost *:80>
. Here is the rest of the
. of the config of
. the host
# Tomcat jk connector settings
JkMount /*.jsp ajp13_worker
JkMount /myAppDir/* ajp13_worker
JkMount /myAppDir* ajp13_worker
JKMount /manager* ajp13_worker
JkMount /manager/* ajp13_worker
</VirtualHost>
And you should also edit the server.xml file and inside the tag write and comment the previous Host name="localhost"
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
<Host name="localhost" appBase="webapps" unpackWARs="true"
autoDeploy="true" >
<Context path="/" docBase="/var/lib/tomcat7/webapps/myAppDir/"
debug="0" reloadable="true" />
<!-- please notes on logs down below -->
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="/var/lib/tomcat7/logs" prefix="tomcat_access_"
suffix=".log" pattern="common" resolveHosts="false" />
</Host>
The only thing left to do is edit the workers.properties file and add
worker.myapp2.port=8009
worker.myapp2.host=localhost
worker.myapp2.type=ajp13
worker.loadbalancer.type=lb
worker.loadbalancer.balance_workers=ajp13_worker
Then you should be set to work, and when a url containing the myAppDir appears, the apache server will redirect the calls to tomcat the answer will come back from apache.
I have installed Archiva on my machine under Tomcat 6.x at http://dev.mycompany.com:8080/archiva and can access the application and everything, but I want to access it from the subdomain archiva.mycompany.com.
I have Apache 2.x running on port 80 and using Virtual Hosts and mod_proxy to route from other subdomains to the other various services I am running on this machine.
I now want to create a subdomain archiva.dev.mycompany.com and point that to dev.mycompany.com:8080/archiva.
I can't figure out what I need to put in my ProxyPass and ProxyPassReverse to make this work like I want it to.
I tried the following and all it does is add /archiva to the URL over and over again.
<VirtualHost *:80>
ServerAdmin me#mycompany.com
ServerName archiva.dev.mycompany.com
ProxyPreserveHost On
<Proxy *>
Order allow,deny
Allow from all
</Proxy>
ProxyPass / http://dev.mycompany.com:8080/archiva
ProxyPassReverse / http://dev.mycompany.com:8080/archiva
</VirtualHost>
and I get this error message
HTTP Status 404 - /archivaarchiva/
type Status report
message /archivaarchiva/
description The requested resource (/archivaarchiva/) is not available.
I went and dug through everything I could find on Google once again and tried the following:
ProxyPass / ajp://dev.mycompany.com:8080/archiva/
ProxyPassReverse / http://dev.mycompany.com:8080/archiva/
now I just get a 404 error code from the Winstone Servlet Engine, I know I am getting close.
Can anyone tell me what magic incantation I need to make this behave as I desire?
I had the exact same problem.
What has to be done :
reconfigure archiva to have archiva
running on / instead of /archiva/
configure reverse proxy in the
apache2 configuration.
So now i have "http://repo.[domain]/" for main archiva URL, pointing on "http://[domain]:[port]/"
Here's my current Apache2 configuration :
ProxyRequests Off
ProxyPreserveHost On
<VirtualHost [ip]>
ServerName repo.[domain]
ProxyPass / http://[ip]:8082/
ProxyPassReverse / http://[ip]:8082/
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
</VirtualHost>
And about the conf/jetty.xml configuration :
-remove this :
<!--
<Call class="org.mortbay.jetty.webapp.WebAppContext" name="addWebApplications">
<Arg><Ref id="Contexts"/></Arg>
<Arg>./apps</Arg>
<Arg>org/mortbay/jetty/webapp/webdefault.xml</Arg>
<Arg><Ref id="plusConfig"/></Arg>
<Arg type="boolean">True</Arg>
<Arg type="boolean">False</Arg>
</Call>
-->
+add this instead:
<New class="org.mortbay.jetty.webapp.WebAppContext">
<Arg><Ref id="Contexts"/></Arg>
<Arg>./apps/archiva</Arg>
<Arg>/</Arg>
<Set name="configurationClasses"><Ref id="plusConfig"/></Set>
</New>
The reason you are getting:
HTTP Status 404 - /archivaarchiva/
is because you didn't end your ProxyPass last path with a / but you did ended the first path with one.
ProxyPass / http://dev.mycompany.com:8080/archiva
both ProxyPass and ProxyPassReverse should end with /
Rewrite to (taking note of the ending /):
ProxyPass / http://dev.mycompany.com:8080/archiva/
see: http:// httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass
If the first argument ends with a trailing /, the second argument should also end with a trailing / and vice versa. Otherwise the resulting requests to the backend may miss some needed slashes and do not deliver the expected results.