Hi,
Is there a way to *tell* j_security_check that an Origin: header set
(during the login POST request) to a remote server is permitted (and is
not an XSS attack)?
We have a tomcat server T running a tomcat webapp that uses
j_security_check to auth users
(Excuse me - I am not the tomcat programmer, I'm the sysadmin trying to
help the programmer, so my terminology might be bad).
Basically,
http://T/webapp/jsp/login works OK
On Server A running apache, we have a config:
RewriteRule ^/jsp/(.*)$ http://T/webapp/jsp/$1 [P]
(which is a ProxyPass - we have many rewrite rules so prefer to use
RewriteRule for consistency)
If we try to login to the tomcat webapp from
http://A/jsp/login
the POST request sends an Origin: header containing http:://A/...
Tomcat seems not to like this as it realises that server A is not where
it is running.
I made it work with a disgraceful hack in the apache config:
RequestHeader edit Origin http:\/\/A\/ http:\/\/T\/ early
But now Tomcat can log us in but sends the wrong URI host in the
Location: header when it replies with the 302 redirect. So I "fix" this
with:
Header edit Location http:\/\/T\/webapp\/jsp\/ http://A/jsp/
It works, but it is horrible and basically leaving a booby trap for the
unwary.
Many thanks,
Tim
--
Tim Watts
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
