Uploaded image for project: 'Opencast'
  1. MH-12257

HttpsFilter is not called before OAuthProviderProcessingFilter

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed and reviewed
    • Affects Version/s: 3.0
    • Fix Version/s: 3.0
    • Component/s: Backend Software
    • Labels:
    • Severity:
      Incorrectly Functioning With Workaround
    • Steps to reproduce:
      Hide
      Steps to reproduce:

      1. Configure Opencast on port 8080 using an http server url in custom.properties, e.g. http://my.domain
      2. Configure apache (or nginx) proxy for http://my.domain and https://my.domain
      3. Configure https://my.domain vhost in apache to reverse proxy to http://my.domain:8082
      4. Configure apache SSL vhost to reverse proxy to http://my.domain:8082
       
          SSLProxyEngine on
          ProxyPreserveHost On
          ProxyPass / http://localhost:8082/ timeout=7200 connectiontimeout=7200
          RequestHeader set X-Forwarded-SSL "on"

      5. Configure an LTI tool in an LMS to launch to https://my.domain/lti
      6. Launch LTI tool

       Actual Results:

      LTI launch fails because the oauth signature validation fails because the LMS Opencast URL is https and the internal Opencast URL is http:

          Invalid signature for signature method HMAC-SHA1
       
       Expected Results:
       
       LTI launch should succeed.

      Analysis:

      The HttpsFilter is intended to deal with this use-case by overriding getScheme() for the HttpRequest so that the oauth filter constructs the signature validation using https rather than http if the request is https.

      The HttpsFilter was not being called before the oauth filter.

      Fix is to adjust the service.ranking so it's called earlier in the request chain.
      Show
      Steps to reproduce: 1. Configure Opencast on port 8080 using an http server url in custom.properties, e.g. http://my.domain 2. Configure apache (or nginx) proxy for http://my.domain and https://my.domain 3. Configure https://my.domain vhost in apache to reverse proxy to http://my.domain:8082 4. Configure apache SSL vhost to reverse proxy to http://my.domain:8082       SSLProxyEngine on     ProxyPreserveHost On     ProxyPass / http://localhost:8082/ timeout=7200 connectiontimeout=7200     RequestHeader set X-Forwarded-SSL "on" 5. Configure an LTI tool in an LMS to launch to https://my.domain/lti 6. Launch LTI tool  Actual Results: LTI launch fails because the oauth signature validation fails because the LMS Opencast URL is https and the internal Opencast URL is http:     Invalid signature for signature method HMAC-SHA1    Expected Results:    LTI launch should succeed. Analysis: The HttpsFilter is intended to deal with this use-case by overriding getScheme() for the HttpRequest so that the oauth filter constructs the signature validation using https rather than http if the request is https. The HttpsFilter was not being called before the oauth filter. Fix is to adjust the service.ranking so it's called earlier in the request chain.

      TestRail: Results

        Attachments

          Issue links

            Activity

              People

              • Assignee:
                smarquard Stephen Marquard
                Reporter:
                smarquard Stephen Marquard
              • Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  TestRail: Cases