0 Replies Latest reply on Jan 12, 2020 2:22 PM by Erhard Siegl

    Digest Security behind reverse proxy leads to HTTP 400 Bad Request

    Erhard Siegl Novice

      When using newer Wildfly or EAP Versions >= 7.1.0, digest algorithm is not working if Wildfly is behind a reverse proxy and the proxy changes the URL.

       

      For example with apache

      ProxyPass /jboss/ http://localhost:8080/

       

      The reason is that since [WFLY-10218] client can use bogus uri in digest authentication · wildfly/wildfly@493dc1c · GitHub  Wildfly is validating whether the client uses the same URI in the Authorization header as the server URL. This is not the case and Wildfly returns 400. In our case this breaks changing from EAP 7.0 to EAP 7.2.

       

      There is a workaround by setting

      /system-property=jboss.security.validate-digest-url:add(value=false)

      Knowing this its not a big deal, however finding the reason takes some time.

       

      A comment in the code says:

                          //I am not sure if this is overly strict, however I think it is better

                          //to be safe than sorry

      Since changing the URL with reverse proxies is quite common, I think it is overly strict. Should I open a bug in - Red Hat Issue Tracker ?

       

      Regards

      Erhard