Steps to reproduce:
1. Configure Opencast on port 8080 using an http server url in custom.properties, e.g. http://my.domain
2. Configure apache (or nginx) proxy for http://my.domain and https://my.domain
3. Configure https://my.domain vhost in apache to reverse proxy to http://my.domain:8082
4. Configure apache SSL vhost to reverse proxy to http://my.domain:8082
ProxyPass / http://localhost:8082/ timeout=7200 connectiontimeout=7200
RequestHeader set X-Forwarded-SSL "on"
5. Configure an LTI tool in an LMS to launch to https://my.domain/lti
6. Launch LTI tool
LTI launch fails because the oauth signature validation fails because the LMS Opencast URL is https and the internal Opencast URL is http:
Invalid signature for signature method HMAC-SHA1
LTI launch should succeed.
The HttpsFilter is intended to deal with this use-case by overriding getScheme() for the HttpRequest so that the oauth filter constructs the signature validation using https rather than http if the request is https.
The HttpsFilter was not being called before the oauth filter.
Fix is to adjust the service.ranking so it's called earlier in the request chain.