Webpasswordsafe behind reverse proxy

468 views
Skip to first unread message

Tamas Becz

unread,
Sep 19, 2012, 4:48:13 AM9/19/12
to webpass...@googlegroups.com
Hi,

I'm trying to put wps behind a reverse proxy on apache (which happens to be on the same host, by the way), but having some difficulties not unlike the ones that came with 1.2.1.

I can live without this, it is mostly for cosmetic reasons (ie: I wanted to conveniently handle redirects to https, and wanted to get rid of /webpasswordsafe-1.2.1 at the end of the URI, and it sounded easier to just fire up an apache that trying to figure out how to do this with glassfish.

However, if I try to access it via the proxy, the following shows up in server.log:

[#|2012-09-19T10:37:56.926+0200|SEVERE|glassfish3.1.2|javax.enterprise.system.container.web.com.sun.enterprise.web|_ThreadID=21;_ThreadName=Thread-2;|WebModule[/webpasswordsafe-1.2.1]Exception while dispatching incoming RPC call
com.google.gwt.user.server.rpc.UnexpectedException: Service method 'public abstract com.google.gwt.user.client.rpc.XsrfToken com.google.gwt.user.client.rpc.XsrfTokenService.getNewXsrfToken()' threw an unexpected exception: java.lang.IllegalArgumentException: Duplicate cookie! Cookie override attack?
        at com.google.gwt.user.server.rpc.RPC.encodeResponseForFailure(RPC.java:385)
        at com.google.gwt.user.server.rpc.RPC.invokeAndEncodeResponse(RPC.java:588)
        at com.google.gwt.user.server.rpc.RemoteServiceServlet.processCall(RemoteServiceServlet.java:208)
        at com.google.gwt.user.server.rpc.RemoteServiceServlet.processPost(RemoteServiceServlet.java:248)
        at com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet.doPost(AbstractRemoteServiceServlet.java:62)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:688)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:770)
        at org.apache.catalina.core.StandardWrapper.service(StandardWrapper.java:1550)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:281)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
        at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:655)
        at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:595)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:161)
        at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:331)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:231)
        at com.sun.enterprise.v3.services.impl.ContainerMapper$AdapterCallable.call(ContainerMapper.java:317)
        at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:195)
        at com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:860)
        at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:757)
        at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:1056)
        at com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:229)
        at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:137)
        at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:104)
        at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:90)
        at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:79)
        at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:54)
        at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:59)
        at com.sun.grizzly.ContextTask.run(ContextTask.java:71)
        at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:532)
        at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:513)
        at java.lang.Thread.run(Thread.java:662)
Caused by: java.lang.IllegalArgumentException: Duplicate cookie! Cookie override attack?
        at com.google.gwt.user.server.Util.getCookie(Util.java:96)
        at com.google.gwt.user.server.rpc.XsrfTokenServiceServlet.generateTokenValue(XsrfTokenServiceServlet.java:191)
        at com.google.gwt.user.server.rpc.XsrfTokenServiceServlet.getNewXsrfToken(XsrfTokenServiceServlet.java:164)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at com.google.gwt.user.server.rpc.RPC.invokeAndEncodeResponse(RPC.java:569)
        ... 29 more
|#]

I've told apache to:

   <IfModule !mod_rewrite.c>
    LoadModule rewrite_module modules/mod_rewrite.so
    </IfModule>

    <IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{HTTPS} !=on
    RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]
    </IfModule>

    <IfModule !mod_proxy.c>
    LoadModule proxy_module modules/mod_proxy.so
    </IfModule>

ProxyPass / http://passwd.bud.hu.rsg.ericsson.se:8080/webpasswordsafe-1.2.1/
ProxyPassReverse / http://passwd.bud.hu.rsg.ericsson.se:8080/webpasswordsafe-1.2.1/
ProxyPreserveHost On
ProxyPassReverseCookiePath / /webpasswordsafe-1.2.1/


(Note, I initally started with proxypass only, the latter are just somewhat random trying out things:

[#|2012-09-18T17:09:17.098+0200|SEVERE|glassfish3.1.2|javax.enterprise.system.container.web.com.sun.enterprise.web|_ThreadID=20;_ThreadName=Thread-2;|WebModule[/webpasswordsafe-1.2.1]Exception while dispatching incoming RPC call
com.google.gwt.user.server.rpc.UnexpectedException: Service method 'public abstract com.google.gwt.user.client.rpc.XsrfToken com.google.gwt.user.client.rpc.XsrfTokenService.getNewXsrfToken()' threw an unexpected exception: com.google.gwt.user.client.rpc.RpcTokenException: Invalid RPC token (Session cookie is not set or empty! Unable to generate XSRF cookie)
        at com.google.gwt.user.server.rpc.RPC.encodeResponseForFailure(RPC.java:385)
        at com.google.gwt.user.server.rpc.RPC.invokeAndEncodeResponse(RPC.java:588)
        at com.google.gwt.user.server.rpc.RemoteServiceServlet.processCall(RemoteServiceServlet.java:208)
        at com.google.gwt.user.server.rpc.RemoteServiceServlet.processPost(RemoteServiceServlet.java:248)
        at com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet.doPost(AbstractRemoteServiceServlet.java:62)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:688)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:770)
        at org.apache.catalina.core.StandardWrapper.service(StandardWrapper.java:1550)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:281)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
        at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:655)
        at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:595)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:161)
        at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:331)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:231)
        at com.sun.enterprise.v3.services.impl.ContainerMapper$AdapterCallable.call(ContainerMapper.java:317)
        at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:195)
        at com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:860)
        at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:757)
        at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:1056)
        at com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:229)
        at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:137)
        at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:104)
        at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:90)
        at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:79)
        at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:54)
        at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:59)
        at com.sun.grizzly.ContextTask.run(ContextTask.java:71)
        at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:532)
        at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:513)
        at java.lang.Thread.run(Thread.java:662)
Caused by: com.google.gwt.user.client.rpc.RpcTokenException: Invalid RPC token (Session cookie is not set or empty! Unable to generate XSRF cookie)
        at com.google.gwt.user.server.rpc.XsrfTokenServiceServlet.generateTokenValue(XsrfTokenServiceServlet.java:195)
        at com.google.gwt.user.server.rpc.XsrfTokenServiceServlet.getNewXsrfToken(XsrfTokenServiceServlet.java:164)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at com.google.gwt.user.server.rpc.RPC.invokeAndEncodeResponse(RPC.java:569)
        ... 29 more
|#]

If I changed it around to point to redirect /webpaswordsafe-1.2.1/ to glassfish instead of just / then the expection changes to:
[#|2012-09-19T10:37:56.926+0200|SEVERE|glassfish3.1.2|javax.enterprise.system.container.web.com.sun.enterprise.web|_ThreadID=21;_ThreadName=Thread-2;|WebModule[/webpasswordsafe-1.2.1]Exception while dispatching incoming RPC call
com.google.gwt.user.server.rpc.UnexpectedException: Service method 'public abstract com.google.gwt.user.client.rpc.XsrfToken com.google.gwt.user.client.rpc.XsrfTokenService.getNewXsrfToken()' threw an unexpected exception: java.lang.IllegalArgumentException: Duplicate cookie! Cookie override attack?
        at com.google.gwt.user.server.rpc.RPC.encodeResponseForFailure(RPC.java:385)
        at com.google.gwt.user.server.rpc.RPC.invokeAndEncodeResponse(RPC.java:588)
        at com.google.gwt.user.server.rpc.RemoteServiceServlet.processCall(RemoteServiceServlet.java:208)
        at com.google.gwt.user.server.rpc.RemoteServiceServlet.processPost(RemoteServiceServlet.java:248)
        at com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet.doPost(AbstractRemoteServiceServlet.java:62)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:688)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:770)
        at org.apache.catalina.core.StandardWrapper.service(StandardWrapper.java:1550)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:281)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
        at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:655)
        at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:595)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:161)
        at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:331)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:231)
        at com.sun.enterprise.v3.services.impl.ContainerMapper$AdapterCallable.call(ContainerMapper.java:317)
        at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:195)
        at com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:860)
        at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:757)
        at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:1056)
        at com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:229)
        at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:137)
        at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:104)
        at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:90)
        at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:79)
        at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:54)
        at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:59)
        at com.sun.grizzly.ContextTask.run(ContextTask.java:71)
        at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:532)
        at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:513)
        at java.lang.Thread.run(Thread.java:662)
Caused by: java.lang.IllegalArgumentException: Duplicate cookie! Cookie override attack?
        at com.google.gwt.user.server.Util.getCookie(Util.java:96)
        at com.google.gwt.user.server.rpc.XsrfTokenServiceServlet.generateTokenValue(XsrfTokenServiceServlet.java:191)
        at com.google.gwt.user.server.rpc.XsrfTokenServiceServlet.getNewXsrfToken(XsrfTokenServiceServlet.java:164)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at com.google.gwt.user.server.rpc.RPC.invokeAndEncodeResponse(RPC.java:569)
        ... 29 more
|#]

Unfortunately I'm not very familiar with java (or glassfish, for that matter) so it might be I'm messing up something, but maybe its something buggy. I can also get around it without too much effort, but if someone has some idea, that would be welcome :)

------

On a totally unrealted note: I did manage to get some developer's time borrowed so I now have some pretty basic Radius authentication added to the code. It's pretty straightforward it seems, but I'd gladly share it. What is the preffered way to do that?

Thanks,
tamas

Darin Perusich

unread,
Sep 19, 2012, 8:41:56 AM9/19/12
to Tamas Becz, webpass...@googlegroups.com
You may need to set "<property name="strongCsrfProtection"
value="false" />" in rpc-servlet.xml to get around this.

--
Later,
Darin

Tamas Becz

unread,
Sep 19, 2012, 9:40:47 AM9/19/12
to webpass...@googlegroups.com, Tamas Becz
Thanks for the tip. Do you know which bean should it go into, though? If I add it to any of them it will result in the same exception:

Error creating bean with name 'passwordServiceExporter' defined in ServletContext resource [/WEB-INF/rpc-servlet.xml]: Error setting property values; nested exception is org.springframework.beans.NotWritablePropertyException: Invalid property 'strongCsrfProtection' of bean class [org.gwtwidgets.server.spring.gilead.GileadRPCServiceExporter]: Bean property 'strongCsrfProtection' is not writable or has an invalid setter method. Does the parameter type of the setter match the return type of the getter?

Josh

unread,
Jul 28, 2013, 11:50:05 PM7/28/13
to webpass...@googlegroups.com, Tamas Becz
Please try the final released webpasswordsafe version 1.3, support for this type of deployment is fixed, let me know if you still have problems.  Thanks.

Danny Wilkinson

unread,
Jan 2, 2014, 6:05:27 AM1/2/14
to webpass...@googlegroups.com
I have a similar problem.  I'm using 1.3 behind apache with a ajp proxy setup but get a cookie not defined error

Danny Wilkinson

unread,
Jan 2, 2014, 6:07:23 AM1/2/14
to webpass...@googlegroups.com
Jan 02, 2014 11:06:25 AM org.apache.catalina.core.ApplicationContext log
INFO: rpc: ERROR: The module path requested, //webpasswordsafe/, is not in the same web application as this servlet, /webpasswordsafe-1.3.  Your module may not be properly configured or your client and server code maybe out of date.
Jan 02, 2014 11:06:25 AM org.apache.catalina.core.ApplicationContext log
INFO: xsrf: ERROR: The module path requested, //webpasswordsafe/, is not in the same web application as this servlet, /webpasswordsafe-1.3.  Your module may not be properly configured or your client and server code maybe out of date.
Jan 02, 2014 11:06:25 AM org.apache.catalina.core.ApplicationContext log
SEVERE: Exception while dispatching incoming RPC call

com.google.gwt.user.server.rpc.UnexpectedException: Service method 'public abstract com.google.gwt.user.client.rpc.XsrfToken com.google.gwt.user.client.rpc.XsrfTokenService.getNewXsrfToken()' threw an unexpected exception: com.google.gwt.user.client.rpc.RpcTokenException: Invalid RPC token (Session cookie is not set or empty! Unable to generate XSRF cookie)
        at com.google.gwt.user.server.rpc.RPC.encodeResponseForFailure(RPC.java:389)
        at com.google.gwt.user.server.rpc.RPC.invokeAndEncodeResponse(RPC.java:579)

        at com.google.gwt.user.server.rpc.RemoteServiceServlet.processCall(RemoteServiceServlet.java:208)
        at com.google.gwt.user.server.rpc.RemoteServiceServlet.processPost(RemoteServiceServlet.java:248)
        at com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet.doPost(AbstractRemoteServiceServlet.java:62)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
        at net.webpasswordsafe.server.filter.ContentSecurityPolicyFilter.doFilter(ContentSecurityPolicyFilter.java:64)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
        at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:200)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:603)
        at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at java.lang.Thread.run(Thread.java:744)

Caused by: com.google.gwt.user.client.rpc.RpcTokenException: Invalid RPC token (Session cookie is not set or empty! Unable to generate XSRF cookie)
        at com.google.gwt.user.server.rpc.XsrfTokenServiceServlet.generateTokenValue(XsrfTokenServiceServlet.java:195)
        at com.google.gwt.user.server.rpc.XsrfTokenServiceServlet.getNewXsrfToken(XsrfTokenServiceServlet.java:164)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at com.google.gwt.user.server.rpc.RPC.invokeAndEncodeResponse(RPC.java:561)
        ... 27 more

Josh

unread,
Jan 5, 2014, 7:05:06 AM1/5/14
to webpass...@googlegroups.com
This is the configuration that works for me...
Apache:
        ProxyPass / ajp://localhost:8009/webpasswordsafe-trunk/
        ProxyPassReverseCookiePath /webpasswordsafe-trunk /
Tomcat:
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

Danny Wilkinson

unread,
Jan 6, 2014, 7:33:28 AM1/6/14
to webpass...@googlegroups.com
I re-read the error message and It was actually telling me what the issue was. 

I changed the context path in tomcat to /webpasswordsafe and did the same in my proxy pass ajp config in apache and it started working.

Before, the tomcat context path was /webpasswordsafe-1.3 and the apache proxy pass was "ProxyPass / ajp://localhost:8009/webpasswordsafe-1.3"

Although I may have just masked the issues as I didn't include the ProxyPassReverseCookiePath setting.

Tanguy Mezzano

unread,
Jul 11, 2014, 10:33:52 AM7/11/14
to webpass...@googlegroups.com
Hi,

I've installed webpasswordsafe-1.3 on an opensuse 13.1 and I'm stuck with the "Sesstion Timeout. Please login again." problem.
The context is a mysql connection with apache2 web server.

What would be the configuration of tomcat server.xml and apache2 *.conf files to bypass that bug?

Thanks,

Tanguy
Reply all
Reply to author
Forward
0 new messages