HttpsRequestWrapper wrongly sets the new URL

Steps to reproduce

Steps to reproduce:

1. Run Opencast without HTTPS
2. Configure a HTTP proxy to use HTTPS and set the "X-Forwarded-SSL" header to "on". Configure Opencast to uses the proxy URL.
3. Configure LTI and try to authenticate

Actual Results:

An error is returned:

HTTP ERROR 401
Problem accessing /lti. Reason:
Invalid signature for signature method HMAC-SHA1

The problem is that the SignatureBaseString of OAuth still contains "http" instead of "https" and thus validation fails. This is a result of a bug in `modules/matterhorn-kernel/src/main/java/org/opencastproject/kernel/filter/https/HttpsRequestWrapper.java:46` where `originalURL` is reseted to the "http" one.

Expected Results:

The LTI tool is displayed.

Activity

Show:
Stephen Marquard
June 6, 2017, 2:58 PM

The issue now is that HttpsFilter is not being executed in the filter chain before the OAuth filter. We can fix this by changing the filter service.ranking (to be equivalent to that of OrganizationFilter).

diff --git a/modules/matterhorn-kernel/src/main/resources/OSGI-INF/https-filter.xml b/modules/matterhorn-kernel/src/main/resources/OSGI-INF/https-filter.xml
index f9407a8..194584d 100644
— a/modules/matterhorn-kernel/src/main/resources/OSGI-INF/https-filter.xml
+++ b/modules/matterhorn-kernel/src/main/resources/OSGI-INF/https-filter.xml
@@ -7,7 +7,7 @@
<property name="httpContext.id" value="opencast.httpcontext" />
<property name="httpContext.shared" value="true" />
<!-- The CleanSessionsFilter must have the highest service.ranking value. See CleanSessionsFilter.java for details. -->

  • <property name="service.ranking" value="9" />
    + <property name="service.ranking" value="2" />
    <property name="urlPatterns" value="*" />
    <service>
    <provide interface="javax.servlet.Filter" />

Stephen Marquard
June 6, 2017, 3:14 PM
Edited

Going to put the fix in a new JIRA as it's a slightly different issue - see

Fixed and reviewed

Assignee

Stephen Marquard

Reporter

Matthias Neugebauer

Severity

Non Functioning

Tags (folksonomy)

None

Components

Fix versions

Affects versions

Priority

Major