Nginx issues with spring security
2,146 views
Skip to first unread message
sven.m...@commercetools.de
Mar 19, 2015, 4:07:48 PM3/19/15
to hippo-c...@googlegroups.com
Hi,
I'm using Nginx as revery proxy for hippo CMS (to get rid of /site context). The current config looks like this:
location /cms/ {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:8080/cms/;
}
location / {
auth_basic "xyz";
auth_basic_user_file /path/to/file;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# do not relay basic auth header
proxy_set_header Authorization "";
proxy_pass http://127.0.0.1:8080/site/;
proxy_cookie_path /site/ /;
proxy_redirect default;
}
I tried to follow the hippo sample for apache (http://www.onehippo.org/library/deployment/configuring/configure-apache-httpd-web-server-for-cms-and-sites.html)
Now when when i try to login, i get redirected to url /j_spring_security_check (empty page is shown). Any idea what could cause this? How does your nginx configuration look like?
Thanks in Advance,
Sven
I'm using Nginx as revery proxy for hippo CMS (to get rid of /site context). The current config looks like this:
location /cms/ {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:8080/cms/;
}
location / {
auth_basic "xyz";
auth_basic_user_file /path/to/file;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# do not relay basic auth header
proxy_set_header Authorization "";
proxy_pass http://127.0.0.1:8080/site/;
proxy_cookie_path /site/ /;
proxy_redirect default;
}
I tried to follow the hippo sample for apache (http://www.onehippo.org/library/deployment/configuring/configure-apache-httpd-web-server-for-cms-and-sites.html)
Now when when i try to login, i get redirected to url /j_spring_security_check (empty page is shown). Any idea what could cause this? How does your nginx configuration look like?
Thanks in Advance,
Sven
commercetools GmbH
SPHERE.IO The E-Commerce Platform.
Amtsgericht München, HRB 161496
Geschäftsführer: Denis Werner, Dirk Hörig, Dr. Robert Zores
Woonsan Ko
Mar 19, 2015, 4:15:31 PM3/19/15
to hippo-c...@googlegroups.com
Hi Sven,
Spring Security Framework is unaware that it is reverse proxying from
'/' to '/site/' and so it is incapable of rewriting from
'/site/something' to '/something' when a servlet based web application
requested a redirection as a result.
The reason why it is working fine in HST-2 is simply because HST
configuration is aware of your virtual host configurations and so it is
capable of redirecting to an absolute URL afterward without the context
path. (If a servlet based web application is redirecting to an absolute
URL, then reverse proxies do not any rewriting.)
Spring Security Framework itself is another web application framework,
so I think what you can do is to deploy the SITE application as ROOT
application:
-
http://www.onehippo.org/library/deployment/configuring/deploy-application-as-root_war.html
Then, there's no mismatch in context path switching between reverse
proxy and servlet based web application.
Regards,
Woonsan
> SPHERE.IO <http://www.sphere.io> /The E-Commerce Platform./
>
> e-commerce banner
> <http://www.internetworld-messe.de/Ausstellerverzeichnis/detail/Shop-Software/SPHERE-IO-commercetools-GmbH-55>
> Hippo Community Group: The place for all discussions and announcements
> about Hippo CMS (and HST, repository etc. etc.)
>
> To post to this group, send email to hippo-c...@googlegroups.com
> RSS:
> https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
> ---
> You received this message because you are subscribed to the Google
> Groups "Hippo Community" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to hippo-communi...@googlegroups.com
> <mailto:hippo-communi...@googlegroups.com>.
> Visit this group at http://groups.google.com/group/hippo-community.
> For more options, visit https://groups.google.com/d/optout.
--
w....@onehippo.com www.onehippo.com
Boston - 745 Atlantic Ave, 8th Floor, Boston MA 02111
Amsterdam - Oosteinde 11, 1017 WT Amsterdam
US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466
Spring Security Framework is unaware that it is reverse proxying from
'/' to '/site/' and so it is incapable of rewriting from
'/site/something' to '/something' when a servlet based web application
requested a redirection as a result.
The reason why it is working fine in HST-2 is simply because HST
configuration is aware of your virtual host configurations and so it is
capable of redirecting to an absolute URL afterward without the context
path. (If a servlet based web application is redirecting to an absolute
URL, then reverse proxies do not any rewriting.)
Spring Security Framework itself is another web application framework,
so I think what you can do is to deploy the SITE application as ROOT
application:
-
http://www.onehippo.org/library/deployment/configuring/deploy-application-as-root_war.html
Then, there's no mismatch in context path switching between reverse
proxy and servlet based web application.
Regards,
Woonsan
>
> e-commerce banner
> <http://www.internetworld-messe.de/Ausstellerverzeichnis/detail/Shop-Software/SPHERE-IO-commercetools-GmbH-55>
>
> Amtsgericht München, HRB 161496
> Geschäftsführer: Denis Werner, Dirk Hörig, Dr. Robert Zores
>
> --
> Amtsgericht München, HRB 161496
> Geschäftsführer: Denis Werner, Dirk Hörig, Dr. Robert Zores
>
> Hippo Community Group: The place for all discussions and announcements
> about Hippo CMS (and HST, repository etc. etc.)
>
> To post to this group, send email to hippo-c...@googlegroups.com
> RSS:
> https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
> ---
> You received this message because you are subscribed to the Google
> Groups "Hippo Community" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to hippo-communi...@googlegroups.com
> <mailto:hippo-communi...@googlegroups.com>.
> Visit this group at http://groups.google.com/group/hippo-community.
> For more options, visit https://groups.google.com/d/optout.
--
w....@onehippo.com www.onehippo.com
Boston - 745 Atlantic Ave, 8th Floor, Boston MA 02111
Amsterdam - Oosteinde 11, 1017 WT Amsterdam
US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466
Sven Müller
Mar 19, 2015, 4:37:20 PM3/19/15
to hippo-c...@googlegroups.com
Hi,
Thx for your reply. Can you explain what you mean with HST-2 is working fine? What is HST-2?You received this message because you are subscribed to a topic in the Google Groups "Hippo Community" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/hippo-community/E9R3q-V4s3w/unsubscribe.
To unsubscribe from this group and all its topics, send an email to hippo-communi...@googlegroups.com.
Visit this group at http://groups.google.com/group/hippo-community.
For more options, visit https://groups.google.com/d/optout.
--
Sven Müller
Product Software Architect
E. sven.m...@commercetools.de
T. +49 (89) 99 82 996-23
Adams-Lehmann-Str. 44
80797 München
commercetools.de
Amtsgericht München, HRB 161496
Woonsan Ko
Mar 19, 2015, 4:51:23 PM3/19/15
to hippo-c...@googlegroups.com
Ah, I should have written like this:
"The reason why it is working fine in the *default HST-2 authentication
module with JAAS* [1] is simply because HST configuration is aware of
...". :-)
HST-2 (or just HST) is a delivery tier or RESTful web application
framework [2]. The default built-in authentication module support by HST
is JAAS as mentioned earlier [1]. However, JAAS is not so flexible, so
that's why we support integrations with other best web security
frameworks such as Spring Security Framework or Apache Shiro.
Anyway, in the built-in JAAS integration (actually in every redirection
in HST), HST generated an absolute URLs every time based on your virtual
host configurations in order not to confuse the reverse proxy server
setup (especially with the unmatched context path mapping). That's why
it works very fine in the default built-in JAAS authentication.
However, when using spring security framework, spring security framework
itself is responsible for redirection whenever needed, before hitting
HST container. (Spring security framework filter is working before HST
filter for that reason. See site/WEB-INF/web.xml for detail.)
Maybe someone might think of a possibility to improve/customize some
spring security framework components to behave similarly to what HST
does with absolute URLs, but I haven't looked into that so far because
it might be simply better to deploy it as ROOT war.
Regards,
Woonsan
[1]
http://www.onehippo.org/library/concepts/security/hst-2-authentication-and-authorization-support.html
[2]
http://www.onehippo.org/library/architecture/hippo-cms-7-architecture.html
On 3/19/15 4:37 PM, Sven Müller wrote:
> Hi,
>
> Thx for your reply. Can you explain what you mean with HST-2 is working
> fine? What is HST-2?
>
> Regards Sven
>
> 2015-03-19 21:15 GMT+01:00 Woonsan Ko <w....@onehippo.com
> <mailto:w....@onehippo.com>>:
> > SPHERE.IO <http://SPHERE.IO> <http://www.sphere.io> /The
> > <mailto:hippo-communi...@googlegroups.com
> <mailto:hippo-community%2Bunsu...@googlegroups.com>>.
> <http://www.onehippo.com>
> Europe +31(0)20 522 4466 <tel:%2B31%280%2920%20522%204466>
>
> E. sven.m...@commercetools.de <mailto:sven.m...@commercetools.de>
> T. +49 (89) 99 82 996-23 <tel:+49+(89)+99+82+996-23>
>
> Adams-Lehmann-Str. 44
> 80797 München
> commercetools.de <http://www.commercetools.de>
"The reason why it is working fine in the *default HST-2 authentication
module with JAAS* [1] is simply because HST configuration is aware of
...". :-)
HST-2 (or just HST) is a delivery tier or RESTful web application
framework [2]. The default built-in authentication module support by HST
is JAAS as mentioned earlier [1]. However, JAAS is not so flexible, so
that's why we support integrations with other best web security
frameworks such as Spring Security Framework or Apache Shiro.
Anyway, in the built-in JAAS integration (actually in every redirection
in HST), HST generated an absolute URLs every time based on your virtual
host configurations in order not to confuse the reverse proxy server
setup (especially with the unmatched context path mapping). That's why
it works very fine in the default built-in JAAS authentication.
However, when using spring security framework, spring security framework
itself is responsible for redirection whenever needed, before hitting
HST container. (Spring security framework filter is working before HST
filter for that reason. See site/WEB-INF/web.xml for detail.)
Maybe someone might think of a possibility to improve/customize some
spring security framework components to behave similarly to what HST
does with absolute URLs, but I haven't looked into that so far because
it might be simply better to deploy it as ROOT war.
Regards,
Woonsan
[1]
http://www.onehippo.org/library/concepts/security/hst-2-authentication-and-authorization-support.html
[2]
http://www.onehippo.org/library/architecture/hippo-cms-7-architecture.html
On 3/19/15 4:37 PM, Sven Müller wrote:
> Hi,
>
> Thx for your reply. Can you explain what you mean with HST-2 is working
> fine? What is HST-2?
>
> Regards Sven
>
> 2015-03-19 21:15 GMT+01:00 Woonsan Ko <w....@onehippo.com
>
> Hi Sven,
>
> Spring Security Framework is unaware that it is reverse proxying from
> '/' to '/site/' and so it is incapable of rewriting from
> '/site/something' to '/something' when a servlet based web application
> requested a redirection as a result.
>
> The reason why it is working fine in HST-2 is simply because HST
> configuration is aware of your virtual host configurations and so it is
> capable of redirecting to an absolute URL afterward without the context
> path. (If a servlet based web application is redirecting to an absolute
> URL, then reverse proxies do not any rewriting.)
>
> Spring Security Framework itself is another web application framework,
> so I think what you can do is to deploy the SITE application as ROOT
> application:
> -
> http://www.onehippo.org/library/deployment/configuring/deploy-application-as-root_war.html
>
> Then, there's no mismatch in context path switching between reverse
> proxy and servlet based web application.
>
> Regards,
>
> Woonsan
>
> On 3/19/15 4:07 PM, sven.m...@commercetools.de
> Hi Sven,
>
> Spring Security Framework is unaware that it is reverse proxying from
> '/' to '/site/' and so it is incapable of rewriting from
> '/site/something' to '/something' when a servlet based web application
> requested a redirection as a result.
>
> The reason why it is working fine in HST-2 is simply because HST
> configuration is aware of your virtual host configurations and so it is
> capable of redirecting to an absolute URL afterward without the context
> path. (If a servlet based web application is redirecting to an absolute
> URL, then reverse proxies do not any rewriting.)
>
> Spring Security Framework itself is another web application framework,
> so I think what you can do is to deploy the SITE application as ROOT
> application:
> -
> http://www.onehippo.org/library/deployment/configuring/deploy-application-as-root_war.html
>
> Then, there's no mismatch in context path switching between reverse
> proxy and servlet based web application.
>
> Regards,
>
> Woonsan
>
> On 3/19/15 4:07 PM, sven.m...@commercetools.de
> E-Commerce Platform./
> >
> > e-commerce banner
> >
> <http://www.internetworld-messe.de/Ausstellerverzeichnis/detail/Shop-Software/SPHERE-IO-commercetools-GmbH-55>
> >
> > Amtsgericht München, HRB 161496
> > Geschäftsführer: Denis Werner, Dirk Hörig, Dr. Robert Zores
> >
> > --
> > Hippo Community Group: The place for all discussions and announcements
> > about Hippo CMS (and HST, repository etc. etc.)
> >
> > To post to this group, send email to hippo-c...@googlegroups.com
> <mailto:hippo-c...@googlegroups.com>
> >
> > e-commerce banner
> >
> <http://www.internetworld-messe.de/Ausstellerverzeichnis/detail/Shop-Software/SPHERE-IO-commercetools-GmbH-55>
> >
> > Amtsgericht München, HRB 161496
> > Geschäftsführer: Denis Werner, Dirk Hörig, Dr. Robert Zores
> >
> > --
> > Hippo Community Group: The place for all discussions and announcements
> > about Hippo CMS (and HST, repository etc. etc.)
> >
> > To post to this group, send email to hippo-c...@googlegroups.com
> > RSS:
> > https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
> > ---
> > You received this message because you are subscribed to the Google
> > Groups "Hippo Community" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> > an email to hippo-communi...@googlegroups.com
> <mailto:hippo-community%2Bunsu...@googlegroups.com>
> > https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
> > ---
> > You received this message because you are subscribed to the Google
> > Groups "Hippo Community" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> > an email to hippo-communi...@googlegroups.com
> > <mailto:hippo-communi...@googlegroups.com
> <mailto:hippo-community%2Bunsu...@googlegroups.com>>.
> > Visit this group at http://groups.google.com/group/hippo-community.
> > For more options, visit https://groups.google.com/d/optout.
>
>
> --
> w....@onehippo.com <mailto:w....@onehippo.com> www.onehippo.com
> > For more options, visit https://groups.google.com/d/optout.
>
>
> --
> <http://www.onehippo.com>
> Boston - 745 Atlantic Ave, 8th Floor, Boston MA 02111
> Amsterdam - Oosteinde 11, 1017 WT Amsterdam
> US +1 877 414 4776 <tel:%2B1%20877%20414%204776> (toll free)
> Amsterdam - Oosteinde 11, 1017 WT Amsterdam
> Europe +31(0)20 522 4466 <tel:%2B31%280%2920%20522%204466>
>
> --
> Hippo Community Group: The place for all discussions and
> announcements about Hippo CMS (and HST, repository etc. etc.)
>
> To post to this group, send email to
> hippo-c...@googlegroups.com
> <mailto:hippo-c...@googlegroups.com>
> --
> Hippo Community Group: The place for all discussions and
> announcements about Hippo CMS (and HST, repository etc. etc.)
>
> To post to this group, send email to
> hippo-c...@googlegroups.com
> RSS:
> https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
> ---
> You received this message because you are subscribed to a topic in
> the Google Groups "Hippo Community" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/hippo-community/E9R3q-V4s3w/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> hippo-communi...@googlegroups.com
> <mailto:hippo-community%2Bunsu...@googlegroups.com>.
> https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
> ---
> You received this message because you are subscribed to a topic in
> the Google Groups "Hippo Community" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/hippo-community/E9R3q-V4s3w/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> hippo-communi...@googlegroups.com
> Visit this group at http://groups.google.com/group/hippo-community.
> For more options, visit https://groups.google.com/d/optout.
>
>
>
>
> --
>
> For more options, visit https://groups.google.com/d/optout.
>
>
>
>
> --
>
> Sven Müller
> Product Software Architect
>
> commercetools logo <http://www.commercetools.com>
> Product Software Architect
>
>
> E. sven.m...@commercetools.de <mailto:sven.m...@commercetools.de>
> T. +49 (89) 99 82 996-23 <tel:+49+(89)+99+82+996-23>
>
> Adams-Lehmann-Str. 44
> 80797 München
> commercetools.de <http://www.commercetools.de>
Sven Müller
Mar 19, 2015, 5:03:02 PM3/19/15
to hippo-c...@googlegroups.com
@Woonsan Thx for your detailed answer!
Ok, so that means basically as soon as a hippo site app uses spring security for authentication and runs behind a reverse proxy like nginx or apache2 (to remove "/site" context) this problem will occur? It's still not clear why hippo then shows the apache2 example on their website (to remove the app context) when it will cause spring security to fail?
Ok, so that means basically as soon as a hippo site app uses spring security for authentication and runs behind a reverse proxy like nginx or apache2 (to remove "/site" context) this problem will occur? It's still not clear why hippo then shows the apache2 example on their website (to remove the app context) when it will cause spring security to fail?
Regards Sven
To unsubscribe from this group and all its topics, send an email to hippo-communi...@googlegroups.com.
Visit this group at http://groups.google.com/group/hippo-community.
For more options, visit https://groups.google.com/d/optout.
--
Sven Müller
Product Software Architect
Adams-Lehmann-Str. 44
80797 München
commercetools.de
commercetools GmbH
SPHERE.IO The E-Commerce Platform.
Amtsgericht München, HRB 161496
Woonsan Ko
Mar 19, 2015, 5:14:56 PM3/19/15
to hippo-c...@googlegroups.com
My pleasure.
There are many different environments and people. Some people like to
set up like what the documentation suggests and spring-security
framework integration is not required for those. It works for them.
Also I know some people don't use reverse proxy at all, so they prefer
deploying it as root war only with tomcat, and sometimes they rather
don't feel like to support the option (mapping /site/ to /) at all (in
tomcat or other servlet application framework communities). Hippo
supports that option in core products though. Different practices.
Meanwhile spring security framework and its integration stuff is in the
middle ground.
Regards,
Woonsan
On 3/19/15 5:03 PM, Sven Müller wrote:
> @Woonsan Thx for your detailed answer!
>
> Ok, so that means basically as soon as a hippo site app uses spring
> security for authentication and runs behind a reverse proxy like nginx
> or apache2 (to remove "/site" context) this problem will occur? It's
> still not clear why hippo then shows the apache2 example on their
> website (to remove the app context) when it will cause spring security
> to fail?
>
> Regards Sven
>
>
> 2015-03-19 21:51 GMT+01:00 Woonsan Ko <w....@onehippo.com
> <mailto:w....@onehippo.com>>:
> > <mailto:w....@onehippo.com <mailto:w....@onehippo.com>>>:
> > > SPHERE.IO <http://SPHERE.IO> <http://SPHERE.IO>
> <mailto:hippo-community%252Buns...@googlegroups.com>>
> > > <mailto:hippo-communi...@googlegroups.com
> <mailto:hippo-community%2Bunsu...@googlegroups.com>
> > <mailto:hippo-community%2Bunsu...@googlegroups.com
> <mailto:hippo-community%252Buns...@googlegroups.com>>>.
> <mailto:hippo-community%252Buns...@googlegroups.com>>.
> <mailto:sven.m...@commercetools.de>>
> > T. +49 (89) 99 82 996-23 <tel:%2B49%20%2889%29%2099%2082%20996-23>
There are many different environments and people. Some people like to
set up like what the documentation suggests and spring-security
framework integration is not required for those. It works for them.
Also I know some people don't use reverse proxy at all, so they prefer
deploying it as root war only with tomcat, and sometimes they rather
don't feel like to support the option (mapping /site/ to /) at all (in
tomcat or other servlet application framework communities). Hippo
supports that option in core products though. Different practices.
Meanwhile spring security framework and its integration stuff is in the
middle ground.
Regards,
Woonsan
On 3/19/15 5:03 PM, Sven Müller wrote:
> @Woonsan Thx for your detailed answer!
>
> Ok, so that means basically as soon as a hippo site app uses spring
> security for authentication and runs behind a reverse proxy like nginx
> or apache2 (to remove "/site" context) this problem will occur? It's
> still not clear why hippo then shows the apache2 example on their
> website (to remove the app context) when it will cause spring security
> to fail?
>
> Regards Sven
>
>
> 2015-03-19 21:51 GMT+01:00 Woonsan Ko <w....@onehippo.com
> >
> > Hi Sven,
> >
> > Spring Security Framework is unaware that it is reverse proxying from
> > '/' to '/site/' and so it is incapable of rewriting from
> > '/site/something' to '/something' when a servlet based web application
> > requested a redirection as a result.
> >
> > The reason why it is working fine in HST-2 is simply because HST
> > configuration is aware of your virtual host configurations and so it is
> > capable of redirecting to an absolute URL afterward without the context
> > path. (If a servlet based web application is redirecting to an absolute
> > URL, then reverse proxies do not any rewriting.)
> >
> > Spring Security Framework itself is another web application framework,
> > so I think what you can do is to deploy the SITE application as ROOT
> > application:
> > -
> > http://www.onehippo.org/library/deployment/configuring/deploy-application-as-root_war.html
> >
> > Then, there's no mismatch in context path switching between reverse
> > proxy and servlet based web application.
> >
> > Regards,
> >
> > Woonsan
> >
> > On 3/19/15 4:07 PM, sven.m...@commercetools.de <mailto:sven.m...@commercetools.de>
> > <mailto:sven.m...@commercetools.de
> > Hi Sven,
> >
> > Spring Security Framework is unaware that it is reverse proxying from
> > '/' to '/site/' and so it is incapable of rewriting from
> > '/site/something' to '/something' when a servlet based web application
> > requested a redirection as a result.
> >
> > The reason why it is working fine in HST-2 is simply because HST
> > configuration is aware of your virtual host configurations and so it is
> > capable of redirecting to an absolute URL afterward without the context
> > path. (If a servlet based web application is redirecting to an absolute
> > URL, then reverse proxies do not any rewriting.)
> >
> > Spring Security Framework itself is another web application framework,
> > so I think what you can do is to deploy the SITE application as ROOT
> > application:
> > -
> > http://www.onehippo.org/library/deployment/configuring/deploy-application-as-root_war.html
> >
> > Then, there's no mismatch in context path switching between reverse
> > proxy and servlet based web application.
> >
> > Regards,
> >
> > Woonsan
> >
> > On 3/19/15 4:07 PM, sven.m...@commercetools.de <mailto:sven.m...@commercetools.de>
> <http://www.sphere.io> /The
> > E-Commerce Platform./
> > >
> > > e-commerce banner
> > >
> > <http://www.internetworld-messe.de/Ausstellerverzeichnis/detail/Shop-Software/SPHERE-IO-commercetools-GmbH-55>
> > >
> > > Amtsgericht München, HRB 161496
> > > Geschäftsführer: Denis Werner, Dirk Hörig, Dr. Robert Zores
> > >
> > > --
> > > Hippo Community Group: The place for all discussions and announcements
> > > about Hippo CMS (and HST, repository etc. etc.)
> > >
> > > To post to this group, send email to hippo-c...@googlegroups.com
> <mailto:hippo-c...@googlegroups.com>
> > <mailto:hippo-c...@googlegroups.com
> > E-Commerce Platform./
> > >
> > > e-commerce banner
> > >
> > <http://www.internetworld-messe.de/Ausstellerverzeichnis/detail/Shop-Software/SPHERE-IO-commercetools-GmbH-55>
> > >
> > > Amtsgericht München, HRB 161496
> > > Geschäftsführer: Denis Werner, Dirk Hörig, Dr. Robert Zores
> > >
> > > --
> > > Hippo Community Group: The place for all discussions and announcements
> > > about Hippo CMS (and HST, repository etc. etc.)
> > >
> > > To post to this group, send email to hippo-c...@googlegroups.com
> <mailto:hippo-c...@googlegroups.com>
> <mailto:hippo-c...@googlegroups.com>>
> > > RSS:
> > > https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
> > > ---
> > > You received this message because you are subscribed to the Google
> > > Groups "Hippo Community" group.
> > > To unsubscribe from this group and stop receiving emails from it, send
> > > an email to hippo-communi...@googlegroups.com
> <mailto:hippo-community%2Bunsu...@googlegroups.com>
> > <mailto:hippo-community%2Bunsu...@googlegroups.com
> > > RSS:
> > > https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
> > > ---
> > > You received this message because you are subscribed to the Google
> > > Groups "Hippo Community" group.
> > > To unsubscribe from this group and stop receiving emails from it, send
> > > an email to hippo-communi...@googlegroups.com
> <mailto:hippo-community%2Bunsu...@googlegroups.com>
> <mailto:hippo-community%252Buns...@googlegroups.com>>
> > > <mailto:hippo-communi...@googlegroups.com
> <mailto:hippo-community%2Bunsu...@googlegroups.com>
> > <mailto:hippo-community%2Bunsu...@googlegroups.com
> <mailto:hippo-community%252Buns...@googlegroups.com>>>.
> > > Visit this group at http://groups.google.com/group/hippo-community.
> > > For more options, visit https://groups.google.com/d/optout.
> >
> >
> > --
> > w....@onehippo.com <mailto:w....@onehippo.com>
> <mailto:w....@onehippo.com <mailto:w....@onehippo.com>>
> > > For more options, visit https://groups.google.com/d/optout.
> >
> >
> > --
> > w....@onehippo.com <mailto:w....@onehippo.com>
> www.onehippo.com <http://www.onehippo.com>
> > <http://www.onehippo.com>
> > Boston - 745 Atlantic Ave, 8th Floor, Boston MA 02111
> > Amsterdam - Oosteinde 11, 1017 WT Amsterdam
> > US +1 877 414 4776 <tel:%2B1%20877%20414%204776>
> <tel:%2B1%20877%20414%204776> (toll free)
> > Europe +31(0)20 522 4466 <tel:%2B31%280%2920%20522%204466>
> <tel:%2B31%280%2920%20522%204466>
> >
> > --
> > Hippo Community Group: The place for all discussions and
> > announcements about Hippo CMS (and HST, repository etc. etc.)
> >
> > To post to this group, send email to
> > hippo-c...@googlegroups.com
> <mailto:hippo-c...@googlegroups.com>
> > <mailto:hippo-c...@googlegroups.com
> > <http://www.onehippo.com>
> > Boston - 745 Atlantic Ave, 8th Floor, Boston MA 02111
> > Amsterdam - Oosteinde 11, 1017 WT Amsterdam
> > US +1 877 414 4776 <tel:%2B1%20877%20414%204776>
> <tel:%2B1%20877%20414%204776> (toll free)
> > Europe +31(0)20 522 4466 <tel:%2B31%280%2920%20522%204466>
> <tel:%2B31%280%2920%20522%204466>
> >
> > --
> > Hippo Community Group: The place for all discussions and
> > announcements about Hippo CMS (and HST, repository etc. etc.)
> >
> > To post to this group, send email to
> > hippo-c...@googlegroups.com
> <mailto:hippo-c...@googlegroups.com>
> <mailto:hippo-c...@googlegroups.com>>
> > RSS:
> > https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
> > ---
> > You received this message because you are subscribed to a topic in
> > the Google Groups "Hippo Community" group.
> > To unsubscribe from this topic, visit
> > https://groups.google.com/d/topic/hippo-community/E9R3q-V4s3w/unsubscribe.
> > To unsubscribe from this group and all its topics, send an email to
> > hippo-communi...@googlegroups.com
> <mailto:hippo-community%2Bunsu...@googlegroups.com>
> > <mailto:hippo-community%2Bunsu...@googlegroups.com
> > RSS:
> > https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
> > ---
> > You received this message because you are subscribed to a topic in
> > the Google Groups "Hippo Community" group.
> > To unsubscribe from this topic, visit
> > https://groups.google.com/d/topic/hippo-community/E9R3q-V4s3w/unsubscribe.
> > To unsubscribe from this group and all its topics, send an email to
> > hippo-communi...@googlegroups.com
> <mailto:hippo-community%2Bunsu...@googlegroups.com>
> <mailto:hippo-community%252Buns...@googlegroups.com>>.
> > Visit this group at http://groups.google.com/group/hippo-community.
> > For more options, visit https://groups.google.com/d/optout.
> >
> >
> >
> >
> > --
> >
> > Sven Müller
> > Product Software Architect
> >
> > commercetools logo <http://www.commercetools.com>
> >
> > E. sven.m...@commercetools.de
> <mailto:sven.m...@commercetools.de>
> <mailto:sven.m...@commercetools.de
> > For more options, visit https://groups.google.com/d/optout.
> >
> >
> >
> >
> > --
> >
> > Sven Müller
> > Product Software Architect
> >
> > commercetools logo <http://www.commercetools.com>
> >
> > E. sven.m...@commercetools.de
> <mailto:sven.m...@commercetools.de>
> <mailto:sven.m...@commercetools.de>>
> > T. +49 (89) 99 82 996-23 <tel:%2B49%20%2889%29%2099%2082%20996-23>
> <tel:+49+(89)+99+82+996-23>
> >
> > Adams-Lehmann-Str. 44
> > 80797 München
> > commercetools.de <http://commercetools.de>
> >
> > Adams-Lehmann-Str. 44
> > 80797 München
Bartosz Oudekerk
Mar 20, 2015, 6:30:41 AM3/20/15
to hippo-c...@googlegroups.com
On 19/03/15 21:51, Woonsan Ko wrote:
> Maybe someone might think of a possibility to improve/customize some
> spring security framework components to behave similarly to what HST
> does with absolute URLs, but I haven't looked into that so far because
> it might be simply better to deploy it as ROOT war.
I know that for spring-security-saml there is:
> Maybe someone might think of a possibility to improve/customize some
> spring security framework components to behave similarly to what HST
> does with absolute URLs, but I haven't looked into that so far because
> it might be simply better to deploy it as ROOT war.
http://docs.spring.io/spring-security-saml/docs/current/api/org/springframework/security/saml/context/SAMLContextProviderLB.html
Perhaps there's something similar for your component?
Kind regards,
Bartosz
--
Amsterdam - Oosteinde 11, 1017 WT Amsterdam
Boston - 745 Atlantic Ave, Third Floor, Boston MA 02111
http://www.onehippo.com/
Woonsan Ko
Mar 20, 2015, 7:37:11 AM3/20/15
to hippo-c...@googlegroups.com
spring-security-saml seems to do that in web sso redirections (which is their purpose).
The situations are a bit different but we can think of possibilities to add a supporting component in hst-springsec-support forge module if needed.
Woonsan
(Sent via my mobile device. Apologies for any typos.)
--
Hippo Community Group: The place for all discussions and announcements about Hippo CMS (and HST, repository etc. etc.)
To post to this group, send email to hippo-community@googlegroups.com
RSS: https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
--- You received this message because you are subscribed to the Google Groups "Hippo Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to hippo-community+unsubscribe@googlegroups.com.
Woonsan Ko
Mar 21, 2015, 12:21:34 AM3/21/15
to hippo-c...@googlegroups.com
Hi Sven,
I'm not so sure, but I might have given a misleading idea to you.
I happened to read the Nginx manual [1] and now I understand your
configuration with 'proxy_redirect default;' is supposed to rewrite the
Location header in the response.
So, even if spring framework redirects to
http://127.0.0.1:8080/site/j_spring_security_check, the redirection
Location would be rewritten to
http://your_domain/j_spring_security_check, which seems fine to me
because /j_spring_security_check would be rewritten back to
http://127.0.0.1:8080/site/j_spring_security_check keeping the cookies
properly in the end.
Just in case, can you also check with adding the following after that?
proxy_redirect default;
proxy_redirect /site/ /;
proxy_redirect http://127.0.0.1:8080/site/ /;
proxy_redirect http://localhost:8080/site/ /;
I have never used Nginx myself, so if it is totally ignorant, just
disregard that. :-) I'm just thinking this test could rule out the other
possibilities.
By the way, is it working fine if you run the tomcat only without
reverse proxy configuration (with hst hosts setting change for
http://localhost:8080/site/ for instance)? There are also many other
cases caused by spring security configuration error sometimes. So you
can rule out that possibility as well by running without reverse proxy.
Cheers,
Woonsan
P.S. Also, if you can post request/response information here (maybe
using HttpFox), then it might be helpful.
[1] http://nginx.org/en/docs/http/ngx_http_proxy_module.html
> SPHERE.IO <http://www.sphere.io> /The E-Commerce Platform./
>
> e-commerce banner
> <http://www.internetworld-messe.de/Ausstellerverzeichnis/detail/Shop-Software/SPHERE-IO-commercetools-GmbH-55>
>
> <mailto:hippo-communi...@googlegroups.com>.
w....@onehippo.com www.onehippo.com
I'm not so sure, but I might have given a misleading idea to you.
I happened to read the Nginx manual [1] and now I understand your
configuration with 'proxy_redirect default;' is supposed to rewrite the
Location header in the response.
So, even if spring framework redirects to
http://127.0.0.1:8080/site/j_spring_security_check, the redirection
Location would be rewritten to
http://your_domain/j_spring_security_check, which seems fine to me
because /j_spring_security_check would be rewritten back to
http://127.0.0.1:8080/site/j_spring_security_check keeping the cookies
properly in the end.
Just in case, can you also check with adding the following after that?
proxy_redirect default;
proxy_redirect /site/ /;
proxy_redirect http://127.0.0.1:8080/site/ /;
proxy_redirect http://localhost:8080/site/ /;
I have never used Nginx myself, so if it is totally ignorant, just
disregard that. :-) I'm just thinking this test could rule out the other
possibilities.
By the way, is it working fine if you run the tomcat only without
reverse proxy configuration (with hst hosts setting change for
http://localhost:8080/site/ for instance)? There are also many other
cases caused by spring security configuration error sometimes. So you
can rule out that possibility as well by running without reverse proxy.
Cheers,
Woonsan
P.S. Also, if you can post request/response information here (maybe
using HttpFox), then it might be helpful.
[1] http://nginx.org/en/docs/http/ngx_http_proxy_module.html
>
> e-commerce banner
> <http://www.internetworld-messe.de/Ausstellerverzeichnis/detail/Shop-Software/SPHERE-IO-commercetools-GmbH-55>
>
> Amtsgericht München, HRB 161496
> Geschäftsführer: Denis Werner, Dirk Hörig, Dr. Robert Zores
>
> Geschäftsführer: Denis Werner, Dirk Hörig, Dr. Robert Zores
>
> --
> Hippo Community Group: The place for all discussions and announcements
> about Hippo CMS (and HST, repository etc. etc.)
>
> To post to this group, send email to hippo-c...@googlegroups.com
> Hippo Community Group: The place for all discussions and announcements
> about Hippo CMS (and HST, repository etc. etc.)
>
> RSS:
> https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
> ---
> You received this message because you are subscribed to the Google
> Groups "Hippo Community" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to hippo-communi...@googlegroups.com
> https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
> ---
> You received this message because you are subscribed to the Google
> Groups "Hippo Community" group.
> To unsubscribe from this group and stop receiving emails from it, send
> <mailto:hippo-communi...@googlegroups.com>.
> Visit this group at http://groups.google.com/group/hippo-community.
> For more options, visit https://groups.google.com/d/optout.
--
> For more options, visit https://groups.google.com/d/optout.
w....@onehippo.com www.onehippo.com
Boston - 745 Atlantic Ave, 8th Floor, Boston MA 02111
Amsterdam - Oosteinde 11, 1017 WT Amsterdam
Reply all
Reply to author
Forward
0 new messages