Created attachment 784937 [details] Ready to deploy openshift repo code to replace jboss7 scalable cartridge. Description of problem: I´m working on a resteasy 3 backend application using the new authentication features as an oauth server. As specified in resteasy docs, oauth server only works through https. In my local environment everything is working perfect because Im able to map https traffic to required port. In Openshift I´m building an scalable application and https is not redirecting as expected by haproxy or entry proxy servers. As an extra information, this is the open post in openshift community: https://www.openshift.com/forums/openshift/resteasy-3-oauth2-haproxy-https-problem Version-Release number of selected component (if applicable): Scalable jboss 7 application with new resteasy 3 module replacement. How reproducible: I have created a test project ready to deploy in any jboss7 cartridge on openshift. If you want to run this locally, some adjustments will be needed, to correctly reference .jks and .ts files from oauth .json configuration file. Steps to Reproduce: 1.Create a jboss 7 scalable application named resteasy3test (for example). No more cartridges needed. 2.Do a git clone locally 3.Replace the contents of the repo with the contents of attached zip. Temporally available here too: https://dl.dropboxusercontent.com/u/29693837/resteasy3test.zip Including the .openshift folder which has a replacement for resteasy module to use resteasy 3. 4.Then execute a git add, git commit and finally a git push Actual results: After deployment, this url is accessible: https://resteasy3test-yourdomain.rhcloud.com/j_oauth_realm_info.html But every url related to authentication via https are not working like: https://resteasy3test-yourdomain.rhcloud.com/login.jsp Also trying to obtain a bearer token via authentication header request to this url: https://resteasy3test-yourdomain.rhcloud.com/j_oauth_token_grant?grant_type=client_credentials is failing with this error: 400 Bad Request,The request sent by the client was syntactically incorrect Expected results: Be able to authenticate and access login and admin pages of my oauth server, like I do in my local environment. Additional info: All of this is working perfectly in my local environment with same versions as openshift environment of everything except haproxy which Im not using.
The user needs SSL access to the gear and we terminate SSL at the frontend apache on the node.
OpenShift doesn't pass https down to the gears, its terminated at the front-end Apache server proxied to the gears using https. On an SSL connection to the frontend, the gear receives the following headers in addition to normal parsed headers: X-Forwarded-Proto = "https" X-Forwarded-SSL-Client-Cert contains the client cert if there was one. X-Client-IP = the IP address which contacted the front-end. The original request headers and cookies should pass through the proxy. I wasn't able to get your application running to inspect it further (it gives 404 errors on my test setup, even when accessing snoop.jsp). One of our Java people may be able to dig into it and find out what's missing. Were the headers above enough to get your app working with the proxied http connection?
I think that headers are not enough because this working test extracted from rest easy 3 provided examples is not interpreting them or is not what it needs to understand ssl. I´m not an expert on this. The zip provided works nicely on an openshift jboss7 scalable application, it needs the app-root/repo folder in order to locate realm.jks and client-truststore.ts Those two files are not packed inside the final deployable war, if you want to run this test app outside the described environment you must copy those two files to a known location and change the corresponding property in pom.xml before build the war file. In profiles definition in pom.xml you will find this properties definition: <properties> <keyspath>${env.OPENSHIFT_REPO_DIR}</keyspath> </properties> You must change this openshift env var to a full path where the app could find those two files. For example: /Users/Rob/testfiles I dont know if this is the problem you are having but worth a try. I think would be interesting to run this test to see the exact problem of redirecting loop. Looking forward to get this solved. Thank you!
Passing to one of our developers who is more familiar with JBoss to see what can be done for the app to deal with SSL termination at the front-end Apache (OpenShift does not pass SSL through to the gear).
I think that definition of severity low does not fit with the impact this has with my development, so rised it to high. I cannot continue my development with this redirecting loop thing, and after talking with openshift people they agree that this could be a bug. I need some advice or actions to be taken. Thank you!
JBoss has explicit support for HTTPS connectors running behind a front-end proxy. In your JBoss standalone.xml configuration, do something like this to configure the HTTP connector for proxy support: <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http" proxy-name="${OPENSHIFT_GEAR_DNS}" proxy-port="443" secure="true"/> This resolves the redirect loop. Please refer to the following documentation for further options (such as redirecting HTTP requests to HTTPS, something I didn't account for here): https://docs.jboss.org/jbossweb/7.0.x/config/http.html Closing the issue, as there's no bug (just a difference in local/deployed environment configuration in that in the deployed environment there's a haproxy instance which must be accounted for).
The following community posts provide more information on how to detect https/http from the JBoss container and redirecting http -> https: https://www.openshift.com/kb/kb-e1044-how-to-redirect-traffic-to-https https://www.openshift.com/forums/openshift/redirect-to-https-fails-port-8443
Thank you all. I can confirm that Dan Mace suggestion is preventing redirect loop thing. And my test case scenario is working. Now I need to test my production environment. Again, thank you.