Major Description
We encountered a bug with Geode that only reveals itself when routing requests through the a proxy that modifies HTTP headers to standardize them in title case format.
gfsh uses the security-username and security-password headers to pass authentication credentials to the locator, but what we saw is that when these go through our proxy and are turned into Security-Username / Security-Password, we can no longer authenticate.
This request emulates what gfsh executes when you run "list members" with an HTTP connection:
curl http://$LOCATOR_IP/gemfire/v1/members -H "security-username: admin" -H "security-password: admin"
This request emulates what gets sent when going through our proxy. This should be the same but will fail:
curl http://$LOCATOR_IP/gemfire/v1/members -H "Security-Username: admin" -H "Security-Password: admin"
We narrowed the bug down to these lines. The HTTP spec specifies that headers should treated as case-insensitive but it looks like Geode is only capable of working with lower-case versions of these headers.