Deployed a web application that specifies a user data constraint as follows: <security-constraint> <web-resource-collection> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> Added to the standalone.xml file an AJP connector as follows: <connector name="ajp" protocol="AJP/1.3" scheme="http" socket-binding="ajp" redirect-port="443"/> Configured Apache to forward requests to the application server as follows: <Location /hello> ProxyPass ajp://127.0.0.1:8009/hello </Location> When accessing this application with an HTTP URL the result is the following error page: JBWEB000065: HTTP Status 403 - JBWEB000309: type JBWEB000067: Status report JBWEB000068: message JBWEB000069: description JBWEB000123: Access to the specified resource has been forbidden. JBoss Web/7.2.2.Final-redhat-1 The versions of the relevant components are the following: # grep 'JBoss EAP' /var/log/jbossas/standalone/server.log 20:54:57,650 INFO [org.jboss.as] (MSC service thread 1-2) JBAS015899: JBoss EAP 6.2.0.Beta1 (AS 7.3.0.Final-redhat-8) starting # rpm -qa 'jbossas*' 'httpd' jbossas-welcome-content-eap-7.3.0-2.Final_redhat_8.1.ep6.el6.noarch httpd-2.2.22-25.ep6.el6.x86_64 jbossas-product-eap-7.3.0-2.Final_redhat_8.1.ep6.el6.noarch jbossas-bundles-7.3.0-2.Final_redhat_8.1.ep6.el6.noarch jbossas-standalone-7.3.0-2.Final_redhat_8.1.ep6.el6.noarch jbossas-modules-eap-7.3.0-8.Final_redhat_8.1.ep6.el6.noarch jbossas-core-7.3.0-3.Final_redhat_8.1.ep6.el6.noarch The operating system is RHEL 6.4 with the latest updates from RHN. The expected behavior is that the user is redirected to the HTTPS URL. This works correctly with EAP 6.1.0.
Created attachment 811346 [details] Tar file containing the configuration files and the example application
According to my test the description is wrong.... I see the right redirection but 403 instead 302
This is what I am doing and what I get: $ nc rhel.example.com 80 GET /hello/ HTTP/1.1 Host: rhel.example.com Connection: close HTTP/1.1 403 Forbidden Date: Tue, 15 Oct 2013 09:04:32 GMT Pragma: No-cache Cache-Control: no-cache Expires: Thu, 01 Jan 1970 01:00:00 CET Location: https://rhel.example.com/hello/ Content-Type: text/html;charset=utf-8 Content-Length: 1072 Connection: close <html><head><title>JBoss Web/7.2.2.Final-redhat-1 - JBWEB000064: Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>JBWEB000065: HTTP Status 403 - </h1><HR size="1" noshade="noshade"><p><b>JBWEB000309: type</b> JBWEB000067: Status report</p><p><b>JBWEB000068: message</b> <u></u></p><p><b>JBWEB000069: description</b> <u>JBWEB000123: Access to the specified resource has been forbidden.</u></p><HR size="1" noshade="noshade"><h3>JBoss Web/7.2.2.Final-redhat-1</h3></body></html> As you can see the application server is returning the Location header, but the 403 code, thus the browser is ignoring completely the Location header, so there is no redirection. I tested this with Firefox and Chrome and both have the same behavior. In the same environment if I use EAP 6.1.0 (with the same configuration, same application, same operating system) I get the following: $ nc rhel.example.com 80 GET /hello/ HTTP/1.1 Host: rhel.example.com Connection: close HTTP/1.1 302 Moved Temporarily Date: Tue, 15 Oct 2013 09:08:37 GMT Pragma: No-cache Cache-Control: no-cache Expires: Thu, 01 Jan 1970 01:00:00 CET Location: https://rhel.example.com/hello/ Content-Length: 0 Connection: close Content-Type: text/plain; charset=UTF-8
It is caused by a wrong fix for BZ-920160 (34c1214018e8e8660afdfd28d8fd7576d2a5e053)
diff --git a/web/src/main/java/org/jboss/as/web/security/JBossWebRealm.java b/web/src/main/java/org/jboss/as/web/se index f30dfcb..8dcd9d3 100644 --- a/web/src/main/java/org/jboss/as/web/security/JBossWebRealm.java +++ b/web/src/main/java/org/jboss/as/web/security/JBossWebRealm.java @@ -625,7 +625,7 @@ public class JBossWebRealm extends RealmBase { ok = helper.hasUserDataPermission(map, request, response, PolicyContext.getContextID(), callerSubject, getPrincipalRoles(request)); } - if(!ok) { + if(!ok && response.getStatus() != Response.SC_FOUND) { response.sendError(Response.SC_FORBIDDEN); } return ok; Possible patch.
Fixed in https://github.com/jbossas/jboss-eap/pull/555 using - if(!ok) { + if(!ok && response.getStatus() == Response.SC_OK) { response.sendError(Response.SC_FORBIDDEN); } return ok;
Verified using EAP 6.2.0.ER7