You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@geode.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2016/12/15 17:41:58 UTC

[jira] [Commented] (GEODE-2212) gfsh http authentication fails when routed through a proxy

    [ https://issues.apache.org/jira/browse/GEODE-2212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15751982#comment-15751982 ] 

ASF subversion and git services commented on GEODE-2212:
--------------------------------------------------------

Commit 4696d1b315ed56ccae90592bed6dd662f17597e0 in geode's branch refs/heads/develop from [~jinmeiliao]
[ https://git-wip-us.apache.org/repos/asf?p=geode.git;h=4696d1b ]

GEODE-2212: request headers are case-insensitive


> gfsh http authentication fails when routed through a proxy
> ----------------------------------------------------------
>
>                 Key: GEODE-2212
>                 URL: https://issues.apache.org/jira/browse/GEODE-2212
>             Project: Geode
>          Issue Type: Bug
>          Components: core, gfsh
>            Reporter: Ben Moss
>            Assignee: Mark Bretl
>
> We encountered a bug with Geode that only reveals itself when routing requests through the a proxy that modifies HTTP headers to standardize them in title case format.
> gfsh uses the security-username and security-password headers to pass authentication credentials to the locator, but what we saw is that when these go through our proxy and are turned into Security-Username / Security-Password, we can no longer authenticate.
> This request emulates what gfsh executes when you run "list members" with an HTTP connection:
> {code:none}
> curl http://$LOCATOR_IP/gemfire/v1/members -H "security-username: admin" -H "security-password: admin"
> {code}
> This request emulates what gets sent when going through our proxy. This should be the same but will fail:
> {code:none}
> curl http://$LOCATOR_IP/gemfire/v1/members -H "Security-Username: admin" -H "Security-Password: admin"
> {code}
> We narrowed the bug down to [these lines|https://github.com/apache/geode/blob/bd229d7681376a11ba2e37747e48844ffe65584c/geode-core/src/main/java/org/apache/geode/management/internal/web/controllers/support/LoginHandlerInterceptor.java#L99-L111]. The HTTP spec specifies that headers should treated as case-insensitive but it looks like Geode is only capable of working with lower-case versions of these headers.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)