Exception when reverse-proxy without certificate but http header authentication provider

[flaix]

I set up Gitblit to use the HTTP Header authentication provider and defined a header for the user name. Nginx is set up as reverse proxy and it sets the user name from the certificate.

This works when the client provides a certificate. But when a client does not provide a certificate at all, Gitblit ran into an exception.

2023-11-02 20:48:08 [ERROR] Can't instantiate page using constructor public com.gitblit.wicket.pages.MyDashboardPage() org.apache.wicket.WicketRuntimeException: Can't instantiate page using constructor public com.gitblit.wicket.pages.MyDashboardPage() at org.apache.wicket.session.DefaultPageFactory.createPage(DefaultPageFactory.java:212) at org.apache.wicket.session.DefaultPageFactory.newPage(DefaultPageFactory.java:57) at org.apache.wicket.request.target.component.BookmarkablePageRequestTarget.newPage(BookmarkablePageRequestTarget.java:298) at org.apache.wicket.request.target.component.BookmarkablePageRequestTarget.getPage(BookmarkablePageRequestTarget.java:320) at org.apache.wicket.request.target.component.BookmarkablePageRequestTarget.processEvents(BookmarkablePageRequestTarget.java:234) at org.apache.wicket.request.AbstractRequestCycleProcessor.processEvents(AbstractRequestCycleProcessor.java:92) at org.apache.wicket.RequestCycle.processEventsAndRespond(RequestCycle.java:1279) at org.apache.wicket.RequestCycle.step(RequestCycle.java:1358) at org.apache.wicket.RequestCycle.steps(RequestCycle.java:1465) at org.apache.wicket.RequestCycle.request(RequestCycle.java:545) at org.apache.wicket.protocol.http.WicketFilter.doGet(WicketFilter.java:486) at org.apache.wicket.protocol.http.WicketFilter.doFilter(WicketFilter.java:319) at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:88) at com.gitblit.servlet.EnforceAuthenticationFilter.doFilter(EnforceAuthenticationFilter.java:99) at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:88) at com.gitblit.servlet.ProxyFilter$1.doFilter(ProxyFilter.java:89) at com.gitblit.servlet.ProxyFilter.doFilter(ProxyFilter.java:92) at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:88) at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:121) at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:133) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:201) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:552) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:600) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1440) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:505) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1594) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1355) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) at org.eclipse.jetty.server.Server.handle(Server.java:516) at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:487) at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:732) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:479) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:277) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105) at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883) at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034) at java.base/java.lang.Thread.run(Thread.java:829) Caused by: java.lang.reflect.InvocationTargetException at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490) at org.apache.wicket.session.DefaultPageFactory.createPage(DefaultPageFactory.java:192) ... 47 more Caused by: java.lang.IllegalArgumentException: Malformed \uxxxx encoding. at java.base/java.util.Properties.loadConvert(Properties.java:678) at java.base/java.util.Properties.load0(Properties.java:455) at java.base/java.util.Properties.load(Properties.java:407) at org.apache.wicket.resource.PropertiesFactory$PropertiesFilePropertiesLoader.loadProperties(PropertiesFactory.java:343) at org.apache.wicket.resource.PropertiesFactory$AbstractPropertiesLoader.load(PropertiesFactory.java:274) at org.apache.wicket.resource.PropertiesFactory.load(PropertiesFactory.java:133) at org.apache.wicket.resource.loader.ComponentStringResourceLoader.loadStringResource(ComponentStringResourceLoader.java:141) at org.apache.wicket.resource.loader.ClassStringResourceLoader.loadStringResource(ClassStringResourceLoader.java:65) at org.apache.wicket.resource.loader.ComponentStringResourceLoader.loadStringResource(ComponentStringResourceLoader.java:261) at org.apache.wicket.resource.loader.ClassStringResourceLoader.loadStringResource(ClassStringResourceLoader.java:80) at org.apache.wicket.Localizer.getStringIgnoreSettings(Localizer.java:241) at org.apache.wicket.Localizer.getString(Localizer.java:313) at org.apache.wicket.Localizer.getString(Localizer.java:119) at org.apache.wicket.Component.getString(Component.java:1968) at org.apache.wicket.Component.getString(Component.java:1955) at com.gitblit.wicket.pages.RootPage$LoginForm.(RootPage.java:588) at com.gitblit.wicket.pages.RootPage.setupPage(RootPage.java:178) at com.gitblit.wicket.pages.MyDashboardPage.setup(MyDashboardPage.java:71) at com.gitblit.wicket.pages.MyDashboardPage.(MyDashboardPage.java:57) ... 52 more

[flaix]

Actually, this only happened with Chrome. These are the headers that were passed through the proxy to Gitblit:

Frame 4: 880 bytes on wire (7040 bits), 880 bytes captured (7040 bits) on interface lo, id 0
Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 00:00:00_00:00:00 (00:00:00:00:00:00)
Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.0.1
Transmission Control Protocol, Src Port: 35840, Dst Port: 8080, Seq: 1, Ack: 1, Len: 814
Hypertext Transfer Protocol
    GET / HTTP/1.0\r\n
        [Expert Info (Chat/Sequence): GET / HTTP/1.0\r\n]
            [GET / HTTP/1.0\r\n]
            [Severity level: Chat]
            [Group: Sequence]
        Request Method: GET
        Request URI: /
        Request Version: HTTP/1.0
    X-Forwarded-Host: mints.local\r\n
    X-Forwarded-Proto: https\r\n
    X-Forwarded-Port: 443\r\n
    X-Forwarded-For: 10.211.55.2\r\n
    Host: 127.0.0.1:8080\r\n
    Connection: close\r\n
    Cache-Control: max-age=0\r\n
    sec-ch-ua: "Chromium";v="118", "Google Chrome";v="118", "Not=A?Brand";v="99"\r\n
    sec-ch-ua-mobile: ?0\r\n
    sec-ch-ua-platform: "macOS"\r\n
    Upgrade-Insecure-Requests: 1\r\n
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36\r\n
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7\r\n
    Sec-Fetch-Site: none\r\n
    Sec-Fetch-Mode: navigate\r\n
    Sec-Fetch-User: ?1\r\n
    Sec-Fetch-Dest: document\r\n
    Accept-Encoding: gzip, deflate, br\r\n
    Accept-Language: de,en-GB;q=0.9,en-US;q=0.8,en;q=0.7\r\n
    \r\n
    [Full request URI: http://127.0.0.1:8080/]
    [HTTP request 1/1]
    [Response in frame: 6]

Chrome puts some 3f characters in there which might cause a problem.

0000   00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00   ..............E.
0010   03 62 db 4a 40 00 40 06 5e 49 7f 00 00 01 7f 00   .b.J@.@.^I......
0020   00 01 8c 00 1f 90 55 fa 23 77 7b 85 97 50 80 18   ......U.#w{..P..
0030   02 00 01 57 00 00 01 01 08 0a 59 9d a2 79 59 9d   ...W......Y..yY.
0040   a2 78 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 30   .xGET / HTTP/1.0
0050   0d 0a 58 2d 46 6f 72 77 61 72 64 65 64 2d 48 6f   ..X-Forwarded-Ho
0060   73 74 3a 20 6d 69 6e 74 73 2e 6c 6f 63 61 6c 0d   st: mints.local.
0070   0a 58 2d 46 6f 72 77 61 72 64 65 64 2d 50 72 6f   .X-Forwarded-Pro
0080   74 6f 3a 20 68 74 74 70 73 0d 0a 58 2d 46 6f 72   to: https..X-For
0090   77 61 72 64 65 64 2d 50 6f 72 74 3a 20 34 34 33   warded-Port: 443
00a0   0d 0a 58 2d 46 6f 72 77 61 72 64 65 64 2d 46 6f   ..X-Forwarded-Fo
00b0   72 3a 20 31 30 2e 32 31 31 2e 35 35 2e 32 0d 0a   r: 10.211.55.2..
00c0   48 6f 73 74 3a 20 31 32 37 2e 30 2e 30 2e 31 3a   Host: 127.0.0.1:
00d0   38 30 38 30 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e   8080..Connection
00e0   3a 20 63 6c 6f 73 65 0d 0a 43 61 63 68 65 2d 43   : close..Cache-C
00f0   6f 6e 74 72 6f 6c 3a 20 6d 61 78 2d 61 67 65 3d   ontrol: max-age=
0100   30 0d 0a 73 65 63 2d 63 68 2d 75 61 3a 20 22 43   0..sec-ch-ua: "C
0110   68 72 6f 6d 69 75 6d 22 3b 76 3d 22 31 31 38 22   hromium";v="118"
0120   2c 20 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65   , "Google Chrome
0130   22 3b 76 3d 22 31 31 38 22 2c 20 22 4e 6f 74 3d   ";v="118", "Not=
0140   41 3f 42 72 61 6e 64 22 3b 76 3d 22 39 39 22 0d   A?Brand";v="99".
0150   0a 73 65 63 2d 63 68 2d 75 61 2d 6d 6f 62 69 6c   .sec-ch-ua-mobil
0160   65 3a 20 3f 30 0d 0a 73 65 63 2d 63 68 2d 75 61   e: ?0..sec-ch-ua
0170   2d 70 6c 61 74 66 6f 72 6d 3a 20 22 6d 61 63 4f   -platform: "macO
0180   53 22 0d 0a 55 70 67 72 61 64 65 2d 49 6e 73 65   S"..Upgrade-Inse
0190   63 75 72 65 2d 52 65 71 75 65 73 74 73 3a 20 31   cure-Requests: 1
01a0   0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f   ..User-Agent: Mo
01b0   7a 69 6c 6c 61 2f 35 2e 30 20 28 4d 61 63 69 6e   zilla/5.0 (Macin
01c0   74 6f 73 68 3b 20 49 6e 74 65 6c 20 4d 61 63 20   tosh; Intel Mac 
01d0   4f 53 20 58 20 31 30 5f 31 35 5f 37 29 20 41 70   OS X 10_15_7) Ap
01e0   70 6c 65 57 65 62 4b 69 74 2f 35 33 37 2e 33 36   pleWebKit/537.36
01f0   20 28 4b 48 54 4d 4c 2c 20 6c 69 6b 65 20 47 65    (KHTML, like Ge
0200   63 6b 6f 29 20 43 68 72 6f 6d 65 2f 31 31 38 2e   cko) Chrome/118.
0210   30 2e 30 2e 30 20 53 61 66 61 72 69 2f 35 33 37   0.0.0 Safari/537
0220   2e 33 36 0d 0a 41 63 63 65 70 74 3a 20 74 65 78   .36..Accept: tex
0230   74 2f 68 74 6d 6c 2c 61 70 70 6c 69 63 61 74 69   t/html,applicati
0240   6f 6e 2f 78 68 74 6d 6c 2b 78 6d 6c 2c 61 70 70   on/xhtml+xml,app
0250   6c 69 63 61 74 69 6f 6e 2f 78 6d 6c 3b 71 3d 30   lication/xml;q=0
0260   2e 39 2c 69 6d 61 67 65 2f 61 76 69 66 2c 69 6d   .9,image/avif,im
0270   61 67 65 2f 77 65 62 70 2c 69 6d 61 67 65 2f 61   age/webp,image/a
0280   70 6e 67 2c 2a 2f 2a 3b 71 3d 30 2e 38 2c 61 70   png,*/*;q=0.8,ap
0290   70 6c 69 63 61 74 69 6f 6e 2f 73 69 67 6e 65 64   plication/signed
02a0   2d 65 78 63 68 61 6e 67 65 3b 76 3d 62 33 3b 71   -exchange;v=b3;q
02b0   3d 30 2e 37 0d 0a 53 65 63 2d 46 65 74 63 68 2d   =0.7..Sec-Fetch-
02c0   53 69 74 65 3a 20 6e 6f 6e 65 0d 0a 53 65 63 2d   Site: none..Sec-
02d0   46 65 74 63 68 2d 4d 6f 64 65 3a 20 6e 61 76 69   Fetch-Mode: navi
02e0   67 61 74 65 0d 0a 53 65 63 2d 46 65 74 63 68 2d   gate..Sec-Fetch-
02f0   55 73 65 72 3a 20 3f 31 0d 0a 53 65 63 2d 46 65   User: ?1..Sec-Fe
0300   74 63 68 2d 44 65 73 74 3a 20 64 6f 63 75 6d 65   tch-Dest: docume
0310   6e 74 0d 0a 41 63 63 65 70 74 2d 45 6e 63 6f 64   nt..Accept-Encod
0320   69 6e 67 3a 20 67 7a 69 70 2c 20 64 65 66 6c 61   ing: gzip, defla
0330   74 65 2c 20 62 72 0d 0a 41 63 63 65 70 74 2d 4c   te, br..Accept-L
0340   61 6e 67 75 61 67 65 3a 20 64 65 2c 65 6e 2d 47   anguage: de,en-G
0350   42 3b 71 3d 30 2e 39 2c 65 6e 2d 55 53 3b 71 3d   B;q=0.9,en-US;q=
0360   30 2e 38 2c 65 6e 3b 71 3d 30 2e 37 0d 0a 0d 0a   0.8,en;q=0.7....

It works with Safari and Firefox, so this might be related to gitblit-org/gitblit#1451

[flaix]

The same works with Safari:

Frame 4: 559 bytes on wire (4472 bits), 559 bytes captured (4472 bits) on interface lo, id 0
Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 00:00:00_00:00:00 (00:00:00:00:00:00)
Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.0.1
Transmission Control Protocol, Src Port: 46628, Dst Port: 8080, Seq: 1, Ack: 1, Len: 493
Hypertext Transfer Protocol
    GET / HTTP/1.0\r\n
        [Expert Info (Chat/Sequence): GET / HTTP/1.0\r\n]
            [GET / HTTP/1.0\r\n]
            [Severity level: Chat]
            [Group: Sequence]
        Request Method: GET
        Request URI: /
        Request Version: HTTP/1.0
    X-Forwarded-Host: mints.local\r\n
    X-Forwarded-Proto: https\r\n
    X-Forwarded-Port: 443\r\n
    X-Forwarded-For: 10.211.55.2\r\n
    Host: 127.0.0.1:8080\r\n
    Connection: close\r\n
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n
    Cookie: JSESSIONID=node01byt7142crfhs34jtum9xwffx2.node0\r\n
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.6.1 Safari/605.1.15\r\n
    Accept-Language: en-us\r\n
    Accept-Encoding: gzip, deflate, br\r\n
    \r\n
    [Full request URI: http://127.0.0.1:8080/]
    [HTTP request 1/1]
    [Response in frame: 6]

[flaix]

Given the error log, this might be caused by an old, broken translation file. Need to retest with an updated Gitblit version.