Uploaded image for project: 'Opencast'
  1. MH-13531

Using CAS SSO behind a reverse proxy providing SSL termination doesn't work correctly

    Details

    • Type: Bug
    • Status: In Review
    • Priority: Major
    • Resolution: Unresolved
    • Affects versions: 7.0
    • Fix versions: None
    • Components: Backend Software
    • Labels:
      None
    • Severity:
      Incorrectly Functioning With Workaround
    • Steps to reproduce:
      Hide
      Steps to reproduce:
      1. Configure CAS SSO within opencast ( using the public https:// urls provided by the reverse proxy )
      2. The SSO login redirects you to the login page, the ticket that gets returned tries to validate
      3. Ticket validation error.
       
       Actual Results:
       
      The service url configured in the config is in the form of https://PUBLIC_URL/... but get rewritten by the springframework security cas library to https://PUBLIC_URL:80/... . This is the reason the validation fails. Looking at the springframework code it seems that the library is taking the port from the incoming request, and when it isn't set set's it to the default port 80.
       
       Expected Results:
       
      Don't touch the configured service url.
       
       Workaround (if any):
       
      When using Nginx it's possible to add a header including the port :
      proxy_set_header Host $host:$server_port;

      When using HaProxy with Openshift we were unable to fix it in a similar fashion. By using the following settings :

      http-request set-header Host %[req.hdr(Host)]:%[dst_port]

      We were able to get through the login but after login we get redirected to http://PUBLIC_URL:443/... for some unknown reason.





      Show
      Steps to reproduce: 1. Configure CAS SSO within opencast ( using the public https:// urls provided by the reverse proxy ) 2. The SSO login redirects you to the login page, the ticket that gets returned tries to validate 3. Ticket validation error.    Actual Results:   The service url configured in the config is in the form of https://PUBLIC_URL/ ... but get rewritten by the springframework security cas library to https://PUBLIC_URL:80/ ... . This is the reason the validation fails. Looking at the springframework code it seems that the library is taking the port from the incoming request, and when it isn't set set's it to the default port 80.    Expected Results:   Don't touch the configured service url.    Workaround (if any):   When using Nginx it's possible to add a header including the port : proxy_set_header Host $host:$server_port; When using HaProxy with Openshift we were unable to fix it in a similar fashion. By using the following settings : http-request set-header Host %[req.hdr(Host)]:%[dst_port] We were able to get through the login but after login we get redirected to http://PUBLIC_URL:443/ ... for some unknown reason.
    • Tags (folksonomy):

      TestRail: Results

        Attachments

          Activity

            People

            • Assignee:
              kkeppens Kristof Keppens
              Reporter:
              kkeppens Kristof Keppens
            • Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:

                TestRail: Cases