Two-legged authorization with apache http server - apache

I have an api (running in a jetty instance) where I use two-legged oauth protocol to give access to the clients. I wrote a simple java client (using oauth-signpost) to connect to the api and the connection is successful.
I would like to put the api behind an apache http server. The apache http server is configured to forward request to api.
The following works:
(without oauth) Client ---> Apache HTTP Server --> Jetty
(with oauth) Client ---> Jetty
The following doesn't work:
(with oauth) Client ---> Apache HTTP Server ---> Jetty
I receive the following error message
"Invalid signature for signature method HMAC-SHA1"
Has any of you faced this issue? Is it possible to sign the request but without the hostname and port?
Thank you.

I had a similar problem. The problem I found was that the OAuth signature and the OAuth header block need to have the Jetty URL, not the Apache URL.
I had to modify my code to pass along two URLs. The URL I was sending the request to (Apache) and the URL of the resource on the final system (Jetty URL).

Related

Apache CXF SSL through proxy

I am connecting to an external soap endpoint using Apache CXF. I am going through a proxy server (using credentials) before I hit the https/SSL external endpoint. The team that supports the external web service is saying that they do not see my basic authentication header. I logged the header and payload from my workstation before just before it leaves my workstation. I can see both the basic authentication and the proxy authentication headers.
My question is really twofold:
1. At what point is the SSL message from my computer actually encrypted?
2. Is it possible for something in the network to be dropping the Basic authorization header?
3. What additional troubleshooting steps can I take?
I found the issue, my proxy server was dropping any header with the word Basic in it.
Thanks,
Brian

Does HaProxy Supports "API Gateway" Feature like NGINX

We are evaluating reverse proxies which support API Gateway feature. We tested the API Gateway feature in NGINX with a custom authentication Application. The request flow in NGINX is that when a request reaches NGINX, it forwards the request for authentication to a custom authentication application. If the auth application returns HTTP 200, NGINX forwards the request to downstream servers.
HaProxy:
For HAP proxy I am unable to figure out how to integrate the custom authentication application in HAProxy configurations.
Kindly guide me to the correct configuration/resource for me to proceed.

How configure JBoss to reject HTTP request on HTTPS port

I have configured JBoss with HTTPS connector only. Now I have problem, that in case I'm using HTTP request to HTTPS connector, it returns page with one ASCII character, instead of some error page, for example 505 or something else what can user inform, about invalid request.
There is no used Apache nor any other web server, where some rules for URL rewriting could apply. Also often used change in web.xml with <transport-guarantee>CONFIDENTIAL</transport-guarantee> tag do not solve this problem, as there must be HTTP request, which is then redirected to HTTPS based on "redirectPort" param in connector configuration and in this case there is not plan to use any other port and it is not possible to combine HTTP and HTTPS listener together on one port.
Is there some way how to configure SSL listener, that way, that it refuse HTTP request, or automatically change to HTTPS?
JBoss 5.1.0
Your browser uses HTTP to talk to server, but on the server side is the security layer (around the HTTP) and it wants to do a SSL/TLS handshake. So the communication fails because client doesn't know about the security on the other side.
The client (browser) receives error message (binary data) from server. The client doesn't know what to do with them, so it presents them to a user as a web page content.
RFC-5246 states:
Error handling in the TLS Handshake protocol is very simple. When an
error is detected, the detecting party sends a message to the other
party. Upon transmission or receipt of a fatal alert message, both
parties immediately close the connection.
Undertow - a new web server in WildFly - is able to do HTTP Upgrade. But I'm not sure if the upgrade to SSL/TLS is already supported. Nevertheless, the problem with this scenario could be on the browser side.

How does the communication with an HTTPS Web Proxy Work?

I wish to setup an HTTPS proxy and have HTTP clients send requests securely to the proxy. For example, a browser can initiate a HTTP GET request which should be an encrypted request to the proxy and the proxy then removes the encryption and then passes the request to the end-site. Squid proxy can be set up to work like this (info here).
I have set up such a HTTPS enabled proxy. But I am unable to write my own HTTP clients to work with it. The same link above mentions that chrome is the only browser that supports such a proxy. I tested Chrome and it was able to work with such an HTTPS proxy.
I wish to gain an understanding of how such a proxy works so that I can write my own HTTP clients.
As I understand it, it's a connection to regular HTTP proxy BUT this connection is made over TLS. The client indeed needs to support this scheme explicitly and existing clients as-is can't be tuned up (without extra coding).

Can we inject a request parameter to a http request in apache

We have an Apache web server which acts as a proxy to a tomcat server.
Our web applications are hosted on the tomcat server and the external urls are mapped to the internal urls in the apache.
The protocol used for communication between apache and tomcat is ajp13.
We are required to send a parameter to the webapplication when the first request from a client reaches the webapplication i.e. when the login page is requested for.
The external url cannot be modified since it is already in use hence additional http get parameters cannot be specified.
Is it possible to inject a request parameter in apache so that by the time request ends up on tomcat it would have this parameter?
Create a servlet filter that checks if a particular cookie is set. If not, set the cookie and create a HttpServletRequestWrapper with the injected request parameter. Pass that wrapped request to chain.doFilter().