Bug 995559 - Cannot create a resteasy 3 oauth2 server app because of redirect loop
Cannot create a resteasy 3 oauth2 server app because of redirect loop
Status: CLOSED NOTABUG
Product: OpenShift Online
Classification: Red Hat
Component: Containers (Show other bugs)
1.x
x86_64 Linux
medium Severity high
: ---
: ---
Assigned To: Dan Mace
libra bugs
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-09 13:39 EDT by German
Modified: 2014-05-19 08:49 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-08-21 10:45:39 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Ready to deploy openshift repo code to replace jboss7 scalable cartridge. (5.29 MB, application/zip)
2013-08-09 13:39 EDT, German
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 749753 None None None Never

  None (edit)
Description German 2013-08-09 13:39:19 EDT
Created attachment 784937 [details]
Ready to deploy openshift repo code to replace jboss7 scalable cartridge.

Description of problem:

I´m working on a resteasy 3 backend application using the new authentication features as an oauth server. As specified in resteasy docs, oauth server only works through https. In my local environment everything is working perfect because Im able to map https traffic to required port.

In Openshift I´m building an scalable application and https is not redirecting as expected by haproxy or entry proxy servers.  

As an extra information, this is the open post in openshift community:

https://www.openshift.com/forums/openshift/resteasy-3-oauth2-haproxy-https-problem

Version-Release number of selected component (if applicable):

Scalable jboss 7 application with new resteasy 3 module replacement.

How reproducible:

I have created a test project ready to deploy in any jboss7 cartridge on openshift. If you want to run this locally, some adjustments will be needed, to correctly reference .jks and .ts files from oauth .json configuration file. 

Steps to Reproduce:

1.Create a jboss 7 scalable application named resteasy3test (for example). No more cartridges needed.
2.Do a git clone locally
3.Replace the contents of the repo with the contents of attached zip. Temporally available here too: https://dl.dropboxusercontent.com/u/29693837/resteasy3test.zip
Including the .openshift folder which has a replacement for resteasy module to use resteasy 3.
4.Then execute a git add, git commit and finally a git push

Actual results:

After deployment, this url is accessible:

https://resteasy3test-yourdomain.rhcloud.com/j_oauth_realm_info.html

But every url related to authentication via https are not working like:

https://resteasy3test-yourdomain.rhcloud.com/login.jsp

Also trying to obtain a bearer token via authentication header request to this url: https://resteasy3test-yourdomain.rhcloud.com/j_oauth_token_grant?grant_type=client_credentials is failing with this error:

400 Bad Request,The request sent by the client was syntactically incorrect

Expected results:

Be able to authenticate and access login and admin pages of my oauth server, like I do in my local environment.

Additional info:

All of this is working perfectly in my local environment with same versions as openshift environment of everything except haproxy which Im not using.
Comment 1 Abhishek Gupta 2013-08-13 14:37:16 EDT
The user needs SSL access to the gear and we terminate SSL at the frontend apache on the node.
Comment 2 Rob Millner 2013-08-16 19:13:31 EDT
OpenShift doesn't pass https down to the gears, its terminated at the front-end Apache server proxied to the gears using https.

On an SSL connection to the frontend, the gear receives the following headers in addition to normal parsed headers:

X-Forwarded-Proto = "https"

X-Forwarded-SSL-Client-Cert contains the client cert if there was one.

X-Client-IP = the IP address which contacted the front-end.

The original request headers and cookies should pass through the proxy.



I wasn't able to get your application running to inspect it further (it gives 404 errors on my test setup, even when accessing snoop.jsp).   One of our Java people may be able to dig into it and find out what's missing.


Were the headers above enough to get your app working with the proxied http connection?
Comment 3 German 2013-08-17 04:36:25 EDT
I think that headers are not enough because this working test extracted from rest easy 3 provided examples is not interpreting them or is not what it needs to understand ssl. I´m not an expert on this.

The zip provided works nicely on an openshift jboss7 scalable application, it needs the app-root/repo folder in order to locate realm.jks and client-truststore.ts

Those two files are not packed inside the final deployable war, if you want to run this test app outside the described environment you must copy those two files to a known location and change the corresponding property in pom.xml before build the war file.

In profiles definition in pom.xml you will find this properties definition:

         <properties>
		<keyspath>${env.OPENSHIFT_REPO_DIR}</keyspath>
 	 </properties>

You must change this openshift env var to a full path where the app could find those two files. For example: /Users/Rob/testfiles

I dont know if this is the problem you are having but worth a try. I think would be interesting to run this test to see the exact problem of redirecting loop.

Looking forward to get this solved.

Thank you!
Comment 4 Rob Millner 2013-08-19 16:35:39 EDT
Passing to one of our developers who is more familiar with JBoss to see what can be done for the app to deal with SSL termination at the front-end Apache (OpenShift does not pass SSL through to the gear).
Comment 5 German 2013-08-21 02:47:06 EDT
I think that definition of severity low does not fit with the impact this has with my development, so rised it to high.

I cannot continue my development with this redirecting loop thing, and after talking with openshift people they agree that this could be a bug.

I need some advice or actions to be taken. Thank you!
Comment 6 Dan Mace 2013-08-21 10:45:39 EDT
JBoss has explicit support for HTTPS connectors running behind a front-end proxy. In your JBoss standalone.xml configuration, do something like this to configure the HTTP connector for proxy support:

<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http" proxy-name="${OPENSHIFT_GEAR_DNS}" proxy-port="443" secure="true"/>

This resolves the redirect loop.

Please refer to the following documentation for further options (such as redirecting HTTP requests to HTTPS, something I didn't account for here):

https://docs.jboss.org/jbossweb/7.0.x/config/http.html

Closing the issue, as there's no bug (just a difference in local/deployed environment configuration in that in the deployed environment there's a haproxy instance which must be accounted for).
Comment 7 Jason DeTiberus 2013-08-21 11:52:59 EDT
The following community posts provide more information on how to detect https/http from the JBoss container and redirecting http -> https:
    https://www.openshift.com/kb/kb-e1044-how-to-redirect-traffic-to-https
    https://www.openshift.com/forums/openshift/redirect-to-https-fails-port-8443
Comment 8 German 2013-08-22 04:30:43 EDT
Thank you all. 

I can confirm that Dan Mace suggestion is preventing redirect loop thing. And my test case scenario is working. Now I need to test my production environment. 

Again, thank you.

Note You need to log in before you can comment on or make changes to this bug.