On 18/01/2013 11:07, Tim Watts wrote: > Anyone? Tomcat doesn't give two hoots about the origin header. It does care about the Host header.
It is hard to tell exactly what is going wrong from your post but you may need one or more of the following: http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypreservehost Set this to on Set proxyName="A" anf proxyPort="80" on the connector in server.xml HTH, Mark > > On 14/01/13 17:24, Watts, Timothy wrote: >> Hi, >> >> >> >> Is there a way to *tell* j_security_check that an Origin: header set >> (during the login POST request) to a remote server is permitted (and is >> not an XSS attack)? >> >> >> >> >> We have a tomcat server T running a tomcat webapp that uses >> j_security_check to auth users >> >> (Excuse me - I am not the tomcat programmer, I'm the sysadmin trying to >> help the programmer, so my terminology might be bad). >> >> Basically, >> >> http://T/webapp/jsp/login works OK >> >> On Server A running apache, we have a config: >> >> RewriteRule ^/jsp/(.*)$ http://T/webapp/jsp/$1 [P] >> >> (which is a ProxyPass - we have many rewrite rules so prefer to use >> RewriteRule for consistency) >> >> >> If we try to login to the tomcat webapp from >> >> http://A/jsp/login >> >> the POST request sends an Origin: header containing http:://A/... >> >> Tomcat seems not to like this as it realises that server A is not where >> it is running. >> >> I made it work with a disgraceful hack in the apache config: >> >> RequestHeader edit Origin http:\/\/A\/ http:\/\/T\/ early >> >> But now Tomcat can log us in but sends the wrong URI host in the >> Location: header when it replies with the 302 redirect. So I "fix" this >> with: >> >> Header edit Location http:\/\/T\/webapp\/jsp\/ http://A/jsp/ >> >> >> It works, but it is horrible and basically leaving a booby trap for the >> unwary. >> >> >> Many thanks, >> >> Tim >> > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
