Bug 1018365

Summary: The redirect-port attribute is ignored
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Juan Hernández <juan.hernandez>
Component: WebAssignee: Emmanuel Hugonnet (ehsavoie) <ehugonne>
Status: CLOSED CURRENTRELEASE QA Contact: Radim Hatlapatka <rhatlapa>
Severity: urgent Docs Contact: Russell Dickenson <rdickens>
Priority: urgent    
Version: 6.2.0CC: brian.stansberry, dandread, iheim, jawilson, jclere, jdoyle, myarboro, obasan, pslavice
Target Milestone: ER7Keywords: Regression
Target Release: EAP 6.2.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-12-15 16:22:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1018111    
Attachments:
Description Flags
Tar file containing the configuration files and the example application none

Description Juan Hernández 2013-10-11 18:57:50 UTC 
Deployed a web application that specifies a user data constraint as follows:

  <security-constraint>
    <web-resource-collection>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
  </security-constraint>

Added to the standalone.xml file an AJP connector as follows:

  <connector name="ajp" protocol="AJP/1.3" scheme="http" socket-binding="ajp" redirect-port="443"/>

Configured Apache to forward requests to the application server as follows:

  <Location /hello>
    ProxyPass ajp://127.0.0.1:8009/hello
  </Location>

When accessing this application with an HTTP URL the result is the following error page:

  JBWEB000065: HTTP Status 403 -
  JBWEB000309: type JBWEB000067: Status report
  JBWEB000068: message
  JBWEB000069: description JBWEB000123: Access to the specified resource has been forbidden.
  JBoss Web/7.2.2.Final-redhat-1

The versions of the relevant components are the following:

  # grep 'JBoss EAP' /var/log/jbossas/standalone/server.log 
  20:54:57,650 INFO  [org.jboss.as] (MSC service thread 1-2) JBAS015899: JBoss EAP 6.2.0.Beta1 (AS 7.3.0.Final-redhat-8) starting

  # rpm -qa 'jbossas*' 'httpd'
  jbossas-welcome-content-eap-7.3.0-2.Final_redhat_8.1.ep6.el6.noarch
  httpd-2.2.22-25.ep6.el6.x86_64
  jbossas-product-eap-7.3.0-2.Final_redhat_8.1.ep6.el6.noarch
  jbossas-bundles-7.3.0-2.Final_redhat_8.1.ep6.el6.noarch
  jbossas-standalone-7.3.0-2.Final_redhat_8.1.ep6.el6.noarch
  jbossas-modules-eap-7.3.0-8.Final_redhat_8.1.ep6.el6.noarch
  jbossas-core-7.3.0-3.Final_redhat_8.1.ep6.el6.noarch

The operating system is RHEL 6.4 with the latest updates from RHN.

The expected behavior is that the user is redirected to the HTTPS URL.

This works correctly with EAP 6.1.0.
Comment 1 Juan Hernández 2013-10-11 19:04:17 UTC 
Created attachment 811346 [details]
Tar file containing the configuration files and the example application
Comment 3 Jean-frederic Clere 2013-10-15 06:31:13 UTC 
According to my test the description is wrong....
I see the right redirection but 403 instead 302
Comment 4 Juan Hernández 2013-10-15 09:10:29 UTC 
This is what I am doing and what I get:

$ nc rhel.example.com 80
GET /hello/ HTTP/1.1
Host: rhel.example.com
Connection: close

HTTP/1.1 403 Forbidden
Date: Tue, 15 Oct 2013 09:04:32 GMT
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 01:00:00 CET
Location: https://rhel.example.com/hello/
Content-Type: text/html;charset=utf-8
Content-Length: 1072
Connection: close

<html><head><title>JBoss Web/7.2.2.Final-redhat-1 - JBWEB000064: Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>JBWEB000065: HTTP Status 403 - </h1><HR size="1" noshade="noshade"><p><b>JBWEB000309: type</b> JBWEB000067: Status report</p><p><b>JBWEB000068: message</b> <u></u></p><p><b>JBWEB000069: description</b> <u>JBWEB000123: Access to the specified resource has been forbidden.</u></p><HR size="1" noshade="noshade"><h3>JBoss Web/7.2.2.Final-redhat-1</h3></body></html>

As you can see the application server is returning the Location header, but the 403 code, thus the browser is ignoring completely the Location header, so there is no redirection.

I tested this with Firefox and Chrome and both have the same behavior.

In the same environment if I use EAP 6.1.0 (with the same configuration, same application, same operating system) I get the following:

$ nc rhel.example.com 80
GET /hello/ HTTP/1.1
Host: rhel.example.com
Connection: close

HTTP/1.1 302 Moved Temporarily
Date: Tue, 15 Oct 2013 09:08:37 GMT
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 01:00:00 CET
Location: https://rhel.example.com/hello/
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8
Comment 5 Jean-frederic Clere 2013-10-15 10:04:52 UTC 
It is caused by a wrong fix for BZ-920160 (34c1214018e8e8660afdfd28d8fd7576d2a5e053)
Comment 6 Jean-frederic Clere 2013-10-15 11:22:01 UTC 
diff --git a/web/src/main/java/org/jboss/as/web/security/JBossWebRealm.java b/web/src/main/java/org/jboss/as/web/se
index f30dfcb..8dcd9d3 100644
--- a/web/src/main/java/org/jboss/as/web/security/JBossWebRealm.java
+++ b/web/src/main/java/org/jboss/as/web/security/JBossWebRealm.java
@@ -625,7 +625,7 @@ public class JBossWebRealm extends RealmBase {
             ok = helper.hasUserDataPermission(map, request, response, PolicyContext.getContextID(), callerSubject,
                     getPrincipalRoles(request));
         }
-        if(!ok) {
+        if(!ok && response.getStatus() != Response.SC_FOUND) {
             response.sendError(Response.SC_FORBIDDEN);
         }
         return ok;

Possible patch.
Comment 7 Emmanuel Hugonnet (ehsavoie) 2013-10-15 14:10:49 UTC 
Fixed in https://github.com/jbossas/jboss-eap/pull/555 using 
-        if(!ok) {
+        if(!ok && response.getStatus() == Response.SC_OK) {
             response.sendError(Response.SC_FORBIDDEN);
         }
         return ok;
Comment 8 Radim Hatlapatka 2013-11-06 11:48:35 UTC 
Verified using EAP 6.2.0.ER7