Wicket
  1. Wicket
  2. WICKET-5000

HttpsMapper Appends Context Root when Behind Apache Proxy

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Minor Minor
    • Resolution: Won't Fix
    • Affects Version/s: 6.5.0
    • Fix Version/s: None
    • Component/s: wicket
    • Labels:
      None
    • Environment:
      Ubuntu 12.04 and Mac OS X Mountain Lion

      Description

      I have a Wicket app running Wicket 6.5.0 which uses HttpsMapper to switch to HTTPS for a login page and on another page. The app is deployed in Weblogic version 10.3.5.0 with a context root of /documentation. Weblogic sits behind an Apache HTTP server which uses the Weblogic HTTP Server plugin (http://docs.oracle.com/cd/E13222_01/wls/docs81/plugins/apache.html#120648) and set up like this:

      <VirtualHost *:80>
      WebLogicHost 10.0.2.2
      WebLogicPort 7011

      SetHandler weblogic-handler
      PathPrepend /documentation

      ErrorLog $

      {APACHE_LOG_DIR}/error.log

      # Possible values include: debug, info, notice, warn, error, crit,
      # alert, emerg.
      LogLevel info

      CustomLog ${APACHE_LOG_DIR}

      /access.log combined

      </VirtualHost>

      <IfModule mod_ssl.c>
      <VirtualHost default:443>
      WebLogicHost 10.0.2.2
      WebLogicPort 7011
      ErrorLog $

      {APACHE_LOG_DIR}/ssl_error.log

      SetHandler weblogic-handler
      PathPrepend /documentation
      WLProxySSL ON
      SecureProxy ON

      # Possible values include: debug, info, notice, warn, error, crit,
      # alert, emerg.
      LogLevel info

      CustomLog ${APACHE_LOG_DIR}

      /ssl_access.log combined

      SSLEngine on
      SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
      SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
      </VirtualHost>
      </IfModule>

      I have tried overriding HttpsMapper#createRedirectUrl to remove /documentation from the URL, but it only works if I go directly to the page that is annotated with @RequireHTTPS. While debugging I discovered that the above method doesn't get called if a link is clicked or if RestartResponseAtInterceptPageException is used (with wicket-auth-roles).

      1. myproject.zip
        26 kB
        Tim Urberg

        Activity

        Hide
        Martin Grigorov added a comment -

        Closing this ticket because there is a workaround in Tim's last comment.
        It uses special WebLogic proxy header to check the context paths.

        Show
        Martin Grigorov added a comment - Closing this ticket because there is a workaround in Tim's last comment. It uses special WebLogic proxy header to check the context paths.
        Show
        Tim Urberg added a comment - I figured out a solution: http://apache-wicket.1842946.n4.nabble.com/HttpsMapper-with-Apache-Virtual-Host-Appending-the-Wrong-Path-td4655303.html#a4656336 and http://apache-wicket.1842946.n4.nabble.com/HttpsMapper-with-Apache-Virtual-Host-Appending-the-Wrong-Path-td4655303.html#a4656346
        Hide
        Tim Urberg added a comment - - edited

        I've been doing a little debugging and found this to be the main problem in HttpsMapper:

        final Url mapHandler(IRequestHandler handler, Request request)
        {
        Url url = delegate.mapHandler(handler);

        Scheme desired = getDesiredSchemeFor(handler);
        Scheme current = getSchemeOf(request);
        if (!desired.isCompatibleWith(current))

        { // the generated url does not have the correct scheme, set it (which in turn will cause // the url to be rendered in its full representation) url.setProtocol(desired.urlName()); url.setPort(desired.getPort(config)); }

        return url;
        }

        If I comment out url.setProtocol and url.setPort it loads the page at least with the right url, but still in http. I can then override createRedirectUrl, but that only gets called sometimes. I'm assuming it has to do with the comment there about how the url is rendered in its full representation. So the question is, where does that happen? I wasn't able to find it debugging yet.

        Thanks for your help and your time!

        Show
        Tim Urberg added a comment - - edited I've been doing a little debugging and found this to be the main problem in HttpsMapper: final Url mapHandler(IRequestHandler handler, Request request) { Url url = delegate.mapHandler(handler); Scheme desired = getDesiredSchemeFor(handler); Scheme current = getSchemeOf(request); if (!desired.isCompatibleWith(current)) { // the generated url does not have the correct scheme, set it (which in turn will cause // the url to be rendered in its full representation) url.setProtocol(desired.urlName()); url.setPort(desired.getPort(config)); } return url; } If I comment out url.setProtocol and url.setPort it loads the page at least with the right url, but still in http. I can then override createRedirectUrl, but that only gets called sometimes. I'm assuming it has to do with the comment there about how the url is rendered in its full representation. So the question is, where does that happen? I wasn't able to find it debugging yet. Thanks for your help and your time!
        Hide
        Martin Grigorov added a comment -

        Thanks !
        We will try to debug it soon.

        Show
        Martin Grigorov added a comment - Thanks ! We will try to debug it soon.
        Hide
        Tim Urberg added a comment -

        The source code for the test I used.

        Show
        Tim Urberg added a comment - The source code for the test I used.
        Hide
        Tim Urberg added a comment - - edited

        I've reproduced this in Tomcat 7 and Apache 2.2 on Ubuntu 12.04. I've uploaded the file and here was the setup (for Ubuntu specifically):

        1, Install Ubuntu 12.04, I used a VirtualBox machine
        2. Install Apache with mod_ssl, mod_proxy and, libxml2
        sudo apt-get install apache2 libapache2-mod-proxy-html libxml2-dev
        sudo a2enmod ssl
        sudo a2enmod proxy
        sudo a2enmod proxy_http
        sudo a2enmod proxy_html
        sudo a2ensite default-ssl
        sudo service apache2 restart
        You should now be able to go to http://localhost and https://localhost

        3. Install tomcat and build the attached source code with maven and copy the generated war file as myproject.war to $

        {TOMCAT_HOME}

        /webapps. At that point you should be able to see http://localhost:8080/myproject and there will be a simple link to go to a secure page.

        Next edit the following to files replacing the contents with what is below:

        /etc/apache2/sites-available/default
        <VirtualHost *:80>
        ProxyPass / http://localhost:8080/myproject/
        ProxyPassReverse / http://localhost:8080/myproject/
        </VirtualHost>

        /etc/apache2/sites-available/default-ssl
        <IfModule mod_ssl.c>
        <VirtualHost default:443>
        ProxyPass / http://localhost:8080/myproject/
        ProxyPassReverse / http://localhost:8080/myproject/

        SSLEngine on
        SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
        SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
        </VirtualHost>
        </IfModule>

        Also edit /etc/apache2/mods-available/proxy-html.conf and edit first few lines to look like this:

        1. Configuration example.
          #
        2. First, to load the module with its prerequisites
          #
        3. For Unix-family systems:
          LoadFile /usr/lib/i386-linux-gnu/libxml2.so #if this file isn't in this location, search for it

        With both apache httpd and Tomcat running, go to http://localhost and click the link. You'll be directed to https://localhost/myproject/secure which will come up with a 404.

        Let me know if you need anything else or if you need help setting up.
        Tim

        Show
        Tim Urberg added a comment - - edited I've reproduced this in Tomcat 7 and Apache 2.2 on Ubuntu 12.04. I've uploaded the file and here was the setup (for Ubuntu specifically): 1, Install Ubuntu 12.04, I used a VirtualBox machine 2. Install Apache with mod_ssl, mod_proxy and, libxml2 sudo apt-get install apache2 libapache2-mod-proxy-html libxml2-dev sudo a2enmod ssl sudo a2enmod proxy sudo a2enmod proxy_http sudo a2enmod proxy_html sudo a2ensite default-ssl sudo service apache2 restart You should now be able to go to http://localhost and https://localhost 3. Install tomcat and build the attached source code with maven and copy the generated war file as myproject.war to $ {TOMCAT_HOME} /webapps. At that point you should be able to see http://localhost:8080/myproject and there will be a simple link to go to a secure page. Next edit the following to files replacing the contents with what is below: /etc/apache2/sites-available/default <VirtualHost *:80> ProxyPass / http://localhost:8080/myproject/ ProxyPassReverse / http://localhost:8080/myproject/ </VirtualHost> /etc/apache2/sites-available/default-ssl <IfModule mod_ssl.c> <VirtualHost default :443> ProxyPass / http://localhost:8080/myproject/ ProxyPassReverse / http://localhost:8080/myproject/ SSLEngine on SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key </VirtualHost> </IfModule> Also edit /etc/apache2/mods-available/proxy-html.conf and edit first few lines to look like this: Configuration example. # First, to load the module with its prerequisites # For Unix-family systems: LoadFile /usr/lib/i386-linux-gnu/libxml2.so #if this file isn't in this location, search for it With both apache httpd and Tomcat running, go to http://localhost and click the link. You'll be directed to https://localhost/myproject/secure which will come up with a 404. Let me know if you need anything else or if you need help setting up. Tim
        Hide
        Tim Urberg added a comment -

        Ok, I'll try to reproduce it with Tomcat and Apache HTTP. I will let you know when I do.

        Show
        Tim Urberg added a comment - Ok, I'll try to reproduce it with Tomcat and Apache HTTP. I will let you know when I do.
        Hide
        Martin Grigorov added a comment -

        Sorry. I don't have that much time. This is a big investment in time. Last time when I tried to run Glassfish (the simpler Oracle application server) I failed miserably.

        My main problem with paid app servers is that if we find a problem in them there is no way to have it fixed. So for me it is wasted time.

        Show
        Martin Grigorov added a comment - Sorry. I don't have that much time. This is a big investment in time. Last time when I tried to run Glassfish (the simpler Oracle application server) I failed miserably. My main problem with paid app servers is that if we find a problem in them there is no way to have it fixed. So for me it is wasted time.
        Hide
        Tim Urberg added a comment - - edited

        Actually you can download a free version of Weblogic here: http://www.oracle.com/technetwork/middleware/weblogic/downloads/wls-for-dev-1703574.html which is the developer version,. Version 10.3.5 can be found in the other versions section. The weblogic apache plugin can be found here: http://www.oracle.com/technetwork/middleware/ias/downloads/wls-plugins-096117.html Both of them can be downloaded and installed for free. I have Weblogic installed in my Mac and then because the Apache plugin doesn't work on a Mac, I installed VirtualBox with an Ubuntu guest, which I installed Apache and the Weblogic Apache plugin. Details on how to install that are included with the download.

        When you install Weblogic, be sure to make sure it is in developer mode. This way you can build a war file and copy it into the autodeploy directory of your server dir. You will also need to create a weblogic.xml in the same directory as web.xml and it will look something like this:

        <?xml version="1.0" encoding="UTF-8"?>
        <weblogic-web-app xmlns="http://www.bea.com/ns/weblogic/90">
        <context-root>/documentation</context-root>
        </weblogic-web-app>

        The place to change development mode is in config.xml which will be located in: $WEBLOGIC_INSTALL_LOCATION/domains/your-domain/config. Look for these two things in that file:

        <weblogic-plugin-enabled>true</weblogic-plugin-enabled> - this tells WL that you're using the HTTP plugin
        <production-mode-enabled>false</production-mode-enabled> - this tells WL to use development mode

        If there is anything else you need help with, let me know.

        Show
        Tim Urberg added a comment - - edited Actually you can download a free version of Weblogic here: http://www.oracle.com/technetwork/middleware/weblogic/downloads/wls-for-dev-1703574.html which is the developer version,. Version 10.3.5 can be found in the other versions section. The weblogic apache plugin can be found here: http://www.oracle.com/technetwork/middleware/ias/downloads/wls-plugins-096117.html Both of them can be downloaded and installed for free. I have Weblogic installed in my Mac and then because the Apache plugin doesn't work on a Mac, I installed VirtualBox with an Ubuntu guest, which I installed Apache and the Weblogic Apache plugin. Details on how to install that are included with the download. When you install Weblogic, be sure to make sure it is in developer mode. This way you can build a war file and copy it into the autodeploy directory of your server dir. You will also need to create a weblogic.xml in the same directory as web.xml and it will look something like this: <?xml version="1.0" encoding="UTF-8"?> <weblogic-web-app xmlns="http://www.bea.com/ns/weblogic/90"> <context-root>/documentation</context-root> </weblogic-web-app> The place to change development mode is in config.xml which will be located in: $WEBLOGIC_INSTALL_LOCATION/domains/your-domain/config. Look for these two things in that file: <weblogic-plugin-enabled>true</weblogic-plugin-enabled> - this tells WL that you're using the HTTP plugin <production-mode-enabled>false</production-mode-enabled> - this tells WL to use development mode If there is anything else you need help with, let me know.
        Hide
        Martin Grigorov added a comment -

        Can you prepare a similar setup with Apache HTTPD + Tomcat ?
        I cannot afford to test with WebLogic.

        It would be very helpful if you provide all the steps to setup this configuration. I haven't done this for a long time and it will take me some time to find how to do it.

        Show
        Martin Grigorov added a comment - Can you prepare a similar setup with Apache HTTPD + Tomcat ? I cannot afford to test with WebLogic. It would be very helpful if you provide all the steps to setup this configuration. I haven't done this for a long time and it will take me some time to find how to do it.

          People

          • Assignee:
            Unassigned
            Reporter:
            Tim Urberg
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development