Bug 1018365 - The redirect-port attribute is ignored
The redirect-port attribute is ignored
Status: CLOSED CURRENTRELEASE
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Web (Show other bugs)
6.2.0
Unspecified Unspecified
urgent Severity urgent
: ER7
: EAP 6.2.0
Assigned To: Emmanuel Hugonnet (ehsavoie)
Radim Hatlapatka
Russell Dickenson
: Regression
Depends On:
Blocks: 1018111
  Show dependency treegraph
 
Reported: 2013-10-11 14:57 EDT by Juan Hernández
Modified: 2013-12-15 11:22 EST (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-12-15 11:22:15 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Tar file containing the configuration files and the example application (30.00 KB, application/x-gzip)
2013-10-11 15:04 EDT, Juan Hernández
no flags Details

  None (edit)
Description Juan Hernández 2013-10-11 14:57:50 EDT
Deployed a web application that specifies a user data constraint as follows:

  <security-constraint>
    <web-resource-collection>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
  </security-constraint>

Added to the standalone.xml file an AJP connector as follows:

  <connector name="ajp" protocol="AJP/1.3" scheme="http" socket-binding="ajp" redirect-port="443"/>

Configured Apache to forward requests to the application server as follows:

  <Location /hello>
    ProxyPass ajp://127.0.0.1:8009/hello
  </Location>

When accessing this application with an HTTP URL the result is the following error page:

  JBWEB000065: HTTP Status 403 -
  JBWEB000309: type JBWEB000067: Status report
  JBWEB000068: message
  JBWEB000069: description JBWEB000123: Access to the specified resource has been forbidden.
  JBoss Web/7.2.2.Final-redhat-1

The versions of the relevant components are the following:

  # grep 'JBoss EAP' /var/log/jbossas/standalone/server.log 
  20:54:57,650 INFO  [org.jboss.as] (MSC service thread 1-2) JBAS015899: JBoss EAP 6.2.0.Beta1 (AS 7.3.0.Final-redhat-8) starting

  # rpm -qa 'jbossas*' 'httpd'
  jbossas-welcome-content-eap-7.3.0-2.Final_redhat_8.1.ep6.el6.noarch
  httpd-2.2.22-25.ep6.el6.x86_64
  jbossas-product-eap-7.3.0-2.Final_redhat_8.1.ep6.el6.noarch
  jbossas-bundles-7.3.0-2.Final_redhat_8.1.ep6.el6.noarch
  jbossas-standalone-7.3.0-2.Final_redhat_8.1.ep6.el6.noarch
  jbossas-modules-eap-7.3.0-8.Final_redhat_8.1.ep6.el6.noarch
  jbossas-core-7.3.0-3.Final_redhat_8.1.ep6.el6.noarch

The operating system is RHEL 6.4 with the latest updates from RHN.

The expected behavior is that the user is redirected to the HTTPS URL.

This works correctly with EAP 6.1.0.
Comment 1 Juan Hernández 2013-10-11 15:04:17 EDT
Created attachment 811346 [details]
Tar file containing the configuration files and the example application
Comment 3 Jean-frederic Clere 2013-10-15 02:31:13 EDT
According to my test the description is wrong....
I see the right redirection but 403 instead 302
Comment 4 Juan Hernández 2013-10-15 05:10:29 EDT
This is what I am doing and what I get:

$ nc rhel.example.com 80
GET /hello/ HTTP/1.1
Host: rhel.example.com
Connection: close

HTTP/1.1 403 Forbidden
Date: Tue, 15 Oct 2013 09:04:32 GMT
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 01:00:00 CET
Location: https://rhel.example.com/hello/
Content-Type: text/html;charset=utf-8
Content-Length: 1072
Connection: close

<html><head><title>JBoss Web/7.2.2.Final-redhat-1 - JBWEB000064: Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>JBWEB000065: HTTP Status 403 - </h1><HR size="1" noshade="noshade"><p><b>JBWEB000309: type</b> JBWEB000067: Status report</p><p><b>JBWEB000068: message</b> <u></u></p><p><b>JBWEB000069: description</b> <u>JBWEB000123: Access to the specified resource has been forbidden.</u></p><HR size="1" noshade="noshade"><h3>JBoss Web/7.2.2.Final-redhat-1</h3></body></html>

As you can see the application server is returning the Location header, but the 403 code, thus the browser is ignoring completely the Location header, so there is no redirection.

I tested this with Firefox and Chrome and both have the same behavior.

In the same environment if I use EAP 6.1.0 (with the same configuration, same application, same operating system) I get the following:

$ nc rhel.example.com 80
GET /hello/ HTTP/1.1
Host: rhel.example.com
Connection: close

HTTP/1.1 302 Moved Temporarily
Date: Tue, 15 Oct 2013 09:08:37 GMT
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 01:00:00 CET
Location: https://rhel.example.com/hello/
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8
Comment 5 Jean-frederic Clere 2013-10-15 06:04:52 EDT
It is caused by a wrong fix for BZ-920160 (34c1214018e8e8660afdfd28d8fd7576d2a5e053)
Comment 6 Jean-frederic Clere 2013-10-15 07:22:01 EDT
diff --git a/web/src/main/java/org/jboss/as/web/security/JBossWebRealm.java b/web/src/main/java/org/jboss/as/web/se
index f30dfcb..8dcd9d3 100644
--- a/web/src/main/java/org/jboss/as/web/security/JBossWebRealm.java
+++ b/web/src/main/java/org/jboss/as/web/security/JBossWebRealm.java
@@ -625,7 +625,7 @@ public class JBossWebRealm extends RealmBase {
             ok = helper.hasUserDataPermission(map, request, response, PolicyContext.getContextID(), callerSubject,
                     getPrincipalRoles(request));
         }
-        if(!ok) {
+        if(!ok && response.getStatus() != Response.SC_FOUND) {
             response.sendError(Response.SC_FORBIDDEN);
         }
         return ok;

Possible patch.
Comment 7 Emmanuel Hugonnet (ehsavoie) 2013-10-15 10:10:49 EDT
Fixed in https://github.com/jbossas/jboss-eap/pull/555 using 
-        if(!ok) {
+        if(!ok && response.getStatus() == Response.SC_OK) {
             response.sendError(Response.SC_FORBIDDEN);
         }
         return ok;
Comment 8 Radim Hatlapatka 2013-11-06 06:48:35 EST
Verified using EAP 6.2.0.ER7

Note You need to log in before you can comment on or make changes to this bug.