search

mkopylec / charon-spring-boot-starter

Reverse proxy implementation in form of a Spring Boot starter.
Apache License 2.0
240 stars 54 forks source link

Problem with j_security_check login to Tomcat #49

Closed KarlikB closed 5 years ago

KarlikB commented 6 years ago

I have strange problem - it looks like Charon proxy does not pass login form data.

My charon version is:

<parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>1.5.10.RELEASE</version>
        <relativePath /> <!-- lookup parent from repository -->
    </parent>

My charon code is simple default Spring Boot starter without any interceptor:

package cz.tsp.kbe;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;

@SpringBootApplication
public class CharonTestApplication {

    public static void main(String[] args) {
        SpringApplication.run(CharonTestApplication.class, args);
    }
}

There is configuration - intention is to proxy http://localhost:8080/APG/ to http://172.24.36.70:58080/APG/ application.yml:

charon.mappings:
    -
        name: my mapping
        path: /APG
        destinations: http://172.24.36.70:58080
        strip-path: false

charon.tracing.enabled:

Problem is with standard tomcat j_security_check form login, when login form data is sent via POST method. I catched HTTP communication to target using wireshark. When I access target server directly without charon proxy, the necessary form item j_username and j_password are sent and wireshart see it. When I access server through proxy, form ites are missing and event ContentLength header is set to zero.

There is wireshark log, first POST is direct to target, second via charon proxy, (I am sending wrong password intentionally to prevent huge wireshark log by page load after login):

No.     Time           Source                Destination           Protocol Length Info
     22 9.423414       172.24.5.21           172.24.36.70          HTTP     668    POST /APG/j_security_check HTTP/1.1  (application/x-www-form-urlencoded)

Frame 22: 668 bytes on wire (5344 bits), 668 bytes captured (5344 bits) on interface 0
Ethernet II, Src: Flextron_c0:3a:51 (00:21:cc:c0:3a:51), Dst: Cisco_97:8b:8f (b0:fa:eb:97:8b:8f)
Internet Protocol Version 4, Src: 172.24.5.21, Dst: 172.24.36.70
Transmission Control Protocol, Src Port: 50328, Dst Port: 58080, Seq: 1, Ack: 1, Len: 614
Hypertext Transfer Protocol
    POST /APG/j_security_check HTTP/1.1\r\n
    Host: 172.24.36.70:58080\r\n
    Connection: keep-alive\r\n
    Content-Length: 37\r\n
        [Content length: 37]
    Accept: */*\r\n
    Origin: http://172.24.36.70:58080\r\n
    X-Requested-With: XMLHttpRequest\r\n
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36\r\n
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8\r\n
    Referer: http://172.24.36.70:58080/APG/\r\n
    Accept-Encoding: gzip, deflate\r\n
    Accept-Language: cs,en;q=0.9,sk;q=0.8,en-US;q=0.7\r\n
    Cookie: tree_width=231; JSESSIONID=26FC6E139E445D3E5172606730BD40BC\r\n
        Cookie pair: tree_width=231
        Cookie pair: JSESSIONID=26FC6E139E445D3E5172606730BD40BC
    \r\n
    [Full request URI: http://172.24.36.70:58080/APG/j_security_check]
    [HTTP request 1/1]
    [Response in frame: 25]
    File Data: 37 bytes
HTML Form URL Encoded: application/x-www-form-urlencoded
    Form item: "j_username" = "adminx"
        Key: j_username
        Value: adminx
    Form item: "j_password" = "changeme"
        Key: j_password
        Value: changeme

No.     Time           Source                Destination           Protocol Length Info
     25 9.427447       172.24.36.70          172.24.5.21           HTTP     96     HTTP/1.1 200 OK  (application/json)

Frame 25: 96 bytes on wire (768 bits), 96 bytes captured (768 bits) on interface 0
Ethernet II, Src: Cisco_97:8b:8f (b0:fa:eb:97:8b:8f), Dst: Flextron_c0:3a:51 (00:21:cc:c0:3a:51)
Internet Protocol Version 4, Src: 172.24.36.70, Dst: 172.24.5.21
Transmission Control Protocol, Src Port: 58080, Dst Port: 50328, Seq: 150, Ack: 615, Len: 42
[2 Reassembled TCP Segments (191 bytes): #24(149), #25(42)]
Hypertext Transfer Protocol
    HTTP/1.1 200 OK\r\n
    Server: Apache-Coyote/1.1\r\n
    Content-Type: application/json;charset=UTF-8\r\n
    Content-Length: 42\r\n
        [Content length: 42]
    Date: Fri, 13 Apr 2018 15:42:54 GMT\r\n
    \r\n
    [HTTP response 1/1]
    [Time since request: 0.004033000 seconds]
    [Request in frame: 22]
    File Data: 42 bytes
JavaScript Object Notation: application/json
    Object
        Member Key: error
            String value: Invalid Login and/or Password
            Key: error

No.     Time           Source                Destination           Protocol Length Info
     36 13.476014      172.24.5.21           172.24.36.70          HTTP     801    POST /APG/j_security_check HTTP/1.1 

Frame 36: 801 bytes on wire (6408 bits), 801 bytes captured (6408 bits) on interface 0
Ethernet II, Src: Flextron_c0:3a:51 (00:21:cc:c0:3a:51), Dst: Cisco_97:8b:8f (b0:fa:eb:97:8b:8f)
Internet Protocol Version 4, Src: 172.24.5.21, Dst: 172.24.36.70
Transmission Control Protocol, Src Port: 50335, Dst Port: 58080, Seq: 1, Ack: 1, Len: 747
Hypertext Transfer Protocol
    POST /APG/j_security_check HTTP/1.1\r\n
    host: localhost:8080\r\n
    connection: keep-alive\r\n
    accept: */*\r\n
    origin: http://localhost:8080\r\n
    x-requested-with: XMLHttpRequest\r\n
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36\r\n
    content-type: application/x-www-form-urlencoded; charset=UTF-8\r\n
    referer: http://localhost:8080/APG/\r\n
    accept-encoding: gzip, deflate, br\r\n
    accept-language: cs,en;q=0.9,sk;q=0.8,en-US;q=0.7\r\n
    cookie: JSESSIONID=ACFA48819DAC2EB3E7DE6F8C53CCE99C; JSESSIONID=2130E398133F87100F7428645AC1B981; oam.Flash.RENDERMAP.TOKEN=1cn10f4jnc\r\n
        Cookie pair: JSESSIONID=ACFA48819DAC2EB3E7DE6F8C53CCE99C
        Cookie pair: JSESSIONID=2130E398133F87100F7428645AC1B981
        Cookie pair: oam.Flash.RENDERMAP.TOKEN=1cn10f4jnc
    X-Forwarded-For: 0:0:0:0:0:0:0:1\r\n
    X-Forwarded-Proto: http\r\n
    X-Forwarded-Host: localhost\r\n
    X-Forwarded-Port: 8080\r\n
    Content-Length: 0\r\n
        [Content length: 0]
    \r\n
    [Full request URI: http://localhost:8080/APG/j_security_check]
    [HTTP request 1/1]
    [Response in frame: 39]

No.     Time           Source                Destination           Protocol Length Info
     39 13.478819      172.24.36.70          172.24.5.21           HTTP     96     HTTP/1.1 200 OK  (application/json)

Frame 39: 96 bytes on wire (768 bits), 96 bytes captured (768 bits) on interface 0
Ethernet II, Src: Cisco_97:8b:8f (b0:fa:eb:97:8b:8f), Dst: Flextron_c0:3a:51 (00:21:cc:c0:3a:51)
Internet Protocol Version 4, Src: 172.24.36.70, Dst: 172.24.5.21
Transmission Control Protocol, Src Port: 58080, Dst Port: 50335, Seq: 150, Ack: 748, Len: 42
[2 Reassembled TCP Segments (191 bytes): #38(149), #39(42)]
Hypertext Transfer Protocol
    HTTP/1.1 200 OK\r\n
    Server: Apache-Coyote/1.1\r\n
    Content-Type: application/json;charset=UTF-8\r\n
    Content-Length: 42\r\n
        [Content length: 42]
    Date: Fri, 13 Apr 2018 15:42:58 GMT\r\n
    \r\n
    [HTTP response 1/1]
    [Time since request: 0.002805000 seconds]
    [Request in frame: 36]
    File Data: 42 bytes
JavaScript Object Notation: application/json
    Object
        Member Key: error
            String value: Invalid Login and/or Password
            Key: error

As seen in log, POST via charon proxy missing completely form data.

I have checked (using Web Sniffer chrome extension) that the form data goes out from browser in both cases.

There is charon trace log:

2018-04-13 17:44:07.698  INFO 7460 --- [nio-8080-exec-2] c.g.m.c.c.trace.LoggingTraceInterceptor  : 
  Trace ID: 89a425df-3f84-4023-adc5-e1e0db9adae3
  Incoming HTTP request received:
    - method: POST
    - uri: /APG/j_security_check
    - headers: {host=[localhost:8080], connection=[keep-alive], content-length=[37], accept=[*/*], origin=[http://localhost:8080], x-requested-with=[XMLHttpRequest], user-agent=[Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36], content-type=[application/x-www-form-urlencoded; charset=UTF-8], referer=[http://localhost:8080/APG/], accept-encoding=[gzip, deflate, br], accept-language=[cs,en;q=0.9,sk;q=0.8,en-US;q=0.7], cookie=[JSESSIONID=ACFA48819DAC2EB3E7DE6F8C53CCE99C; JSESSIONID=2130E398133F87100F7428645AC1B981; oam.Flash.RENDERMAP.TOKEN=1cn10f4jnc]}
2018-04-13 17:44:07.708  INFO 7460 --- [nio-8080-exec-2] c.g.m.c.c.trace.LoggingTraceInterceptor  : 
  Trace ID: 89a425df-3f84-4023-adc5-e1e0db9adae3
  Forwarding HTTP request started:
    - mapping name: W4N mapping
    - method: POST
    - uri: http://172.24.36.70:58080/APG/j_security_check
    - body: 
    - headers: {host=[localhost:8080], connection=[keep-alive], content-length=[37], accept=[*/*], origin=[http://localhost:8080], x-requested-with=[XMLHttpRequest], user-agent=[Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36], content-type=[application/x-www-form-urlencoded; charset=UTF-8], referer=[http://localhost:8080/APG/], accept-encoding=[gzip, deflate, br], accept-language=[cs,en;q=0.9,sk;q=0.8,en-US;q=0.7], cookie=[JSESSIONID=ACFA48819DAC2EB3E7DE6F8C53CCE99C; JSESSIONID=2130E398133F87100F7428645AC1B981; oam.Flash.RENDERMAP.TOKEN=1cn10f4jnc], X-Forwarded-For=[0:0:0:0:0:0:0:1], X-Forwarded-Proto=[http], X-Forwarded-Host=[localhost], X-Forwarded-Port=[8080]}
2018-04-13 17:44:07.791  INFO 7460 --- [nio-8080-exec-2] c.g.m.charon.core.http.RequestForwarder  : Forwarding: POST /APG/j_security_check -> http://172.24.36.70:58080/APG/j_security_check 200
2018-04-13 17:44:07.792  INFO 7460 --- [nio-8080-exec-2] c.g.m.c.c.trace.LoggingTraceInterceptor  : 
  Trace ID: 89a425df-3f84-4023-adc5-e1e0db9adae3
  Forward HTTP response received:
    - status: 200
    - body: {"error":"Invalid Login and\/or Password"}
    - headers: {Server=[Apache-Coyote/1.1], Content-Type=[application/json;charset=UTF-8], Content-Length=[42], Date=[Fri, 13 Apr 2018 15:42:58 GMT]}

What I am doing wrong?

maestros commented 5 years ago

Hi there, any updates on this issue please?

mkopylec commented 5 years ago

This is a strange behaviour. I need to analize it. Do any other application/x-www-form-urlencoded requests work correctly? What about application/json requests, can you try them too?

KarlikB commented 5 years ago

Hi, sorry I cannot help with debugging. I have switched my solution to Apache 2.4 mod_proxy and I have no longer the code that causes problem.

mkopylec commented 5 years ago

This is fixed in 4.0.0