HttpsFilter is not called before OAuthProviderProcessingFilter

Steps to reproduce

Steps to reproduce:

1. Configure Opencast on port 8080 using an http server url in, e.g. http://my.domain
2. Configure apache (or nginx) proxy for http://my.domain and https://my.domain
3. Configure https://my.domain vhost in apache to reverse proxy to http://my.domain:8082
4. Configure apache SSL vhost to reverse proxy to http://my.domain:8082

SSLProxyEngine on
ProxyPreserveHost On
ProxyPass / http://localhost:8082/ timeout=7200 connectiontimeout=7200
RequestHeader set X-Forwarded-SSL "on"

5. Configure an LTI tool in an LMS to launch to https://my.domain/lti
6. Launch LTI tool

Actual Results:

LTI launch fails because the oauth signature validation fails because the LMS Opencast URL is https and the internal Opencast URL is http:

Invalid signature for signature method HMAC-SHA1

Expected Results:

LTI launch should succeed.


The HttpsFilter is intended to deal with this use-case by overriding getScheme() for the HttpRequest so that the oauth filter constructs the signature validation using https rather than http if the request is https.

The HttpsFilter was not being called before the oauth filter.

Fix is to adjust the service.ranking so it's called earlier in the request chain.

Fixed and reviewed


Stephen Marquard


Stephen Marquard


Incorrectly Functioning With Workaround

Tags (folksonomy)



Fix versions

Affects versions