HttpsFilter is not called before OAuthProviderProcessingFilter

Steps to reproduce

Steps to reproduce:

1. Configure Opencast on port 8080 using an http server url in custom.properties, e.g. http://my.domain
2. Configure apache (or nginx) proxy for http://my.domain and https://my.domain
3. Configure https://my.domain vhost in apache to reverse proxy to http://my.domain:8082
4. Configure apache SSL vhost to reverse proxy to http://my.domain:8082

SSLProxyEngine on
ProxyPreserveHost On
ProxyPass / http://localhost:8082/ timeout=7200 connectiontimeout=7200
RequestHeader set X-Forwarded-SSL "on"

5. Configure an LTI tool in an LMS to launch to https://my.domain/lti
6. Launch LTI tool

Actual Results:

LTI launch fails because the oauth signature validation fails because the LMS Opencast URL is https and the internal Opencast URL is http:

Invalid signature for signature method HMAC-SHA1

Expected Results:

LTI launch should succeed.

Analysis:

The HttpsFilter is intended to deal with this use-case by overriding getScheme() for the HttpRequest so that the oauth filter constructs the signature validation using https rather than http if the request is https.

The HttpsFilter was not being called before the oauth filter.

Fix is to adjust the service.ranking so it's called earlier in the request chain.

Assignee

Stephen Marquard

Reporter

Stephen Marquard

Severity

Incorrectly Functioning With Workaround

Tags (folksonomy)

None

Components

Fix versions

Affects versions

Priority

Major
Configure