Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WFLY-11584] Legacy Web migrate op fails if a connector has scheme ht… #11993

Merged
merged 1 commit into from Feb 6, 2019
Merged

[WFLY-11584] Legacy Web migrate op fails if a connector has scheme ht… #11993

merged 1 commit into from Feb 6, 2019

Conversation

tmiyargi
Copy link
Contributor

…tps and no SSL config

Issue: https://issues.jboss.org/browse/WFLY-11584

There is a case were you can have https scheme with no configuration if working with a proxy, https scheme cannot be used to determine if it is using SSL.

@bstansberry
Copy link
Contributor

@fl4via Please review / approve.

Questions I had:

  1. Is it a certain thing that an https connector with no ssl child and a proxy-name configured always means this situation? If not should something be added to the 'warnings' node to help point out the ambiguous situation?

  2. Setting proxy-address-forwarding=true basically turns on ProxyPeerAddressHandler, which has this in the class javadoc:

 * Handler that sets the peer address to the value of the X-Forwarded-For header.
 * <p>
 * This should only be used behind a proxy that always sets this header, otherwise it
 * is possible for an attacker to forge their peer address;

So is turning this on on the basis of 'proxy-name' having been set sufficient?

@tmiyargi
Copy link
Contributor Author

@bstansberry, @fl4via, PR amended, everything in the configuration is optional, I cannot set a parameter that might make the user setup insecure in any case, so instead of failing if no SSL configuration is found, there is a warning message and the connector is migrated as http, since that is allowed and probably expected. Let me know if that is fine with you.

@fl4via
Copy link
Contributor

fl4via commented Jan 17, 2019

Just to let you know that this is under my radar. I'll have some time slot to look at it later today, it is on top of my todo list.

fl4via
fl4via suggested changes Jan 18, 2019
View reviewed changes
Copy link
Contributor

@fl4via fl4via left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the migrateConnector if/else statements need some changes.

legacy/web/src/main/java/org/jboss/as/web/WebMigrateOperation.java Outdated
@@ -985,33 +982,36 @@ private void migrateConnector(OperationContext context, Map<PathAddress, ModelNo
if (scheme == null || scheme.equals("http")) {
newAddress = pathAddress(UndertowExtension.SUBSYSTEM_PATH, DEFAULT_SERVER_PATH, pathElement(Constants.HTTP_LISTENER, address.getLastElement().getValue()));
addConnector = createAddOperation(newAddress);
} else if (scheme.equals("https")) {
} else if (scheme.equals("https") && legacyAddOp == null ) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that if (scheme == null || scheme.equals("http") {...} else if (scheme.equals("https")) {final ModelNode legacyAddOp =...; if (legacyAddOpp == null) {...} else {...}} else {...} is cleaner and leaves no space for bugs. The way it is right now, you are saying that no matter what is the value of scheme (we only know it is not null and not equal to "http", if we have ssl we will go to http. Is that what you intended?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You are right, only http and https values could be used but you can set there the value you like, added the changes. Thank you.

@fl4via
Copy link
Contributor

fl4via commented Jan 30, 2019

@bstansberry you can mark this is as ready to merge, IMO

@bstansberry bstansberry added the ready-for-merge Only for use by those with merge permissions! label Feb 4, 2019
@kabir
Copy link
Contributor

kabir commented Feb 5, 2019

Retest this please

@bstansberry bstansberry merged commit 608f6dc into wildfly:master Feb 6, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fl4via fl4via fl4via approved these changes

Assignees
No one assigned
Labels
ready-for-merge Only for use by those with merge permissions!
Projects
None yet
Milestone
No milestone
4 participants
@tmiyargi @bstansberry @fl4via @kabir