Atlassian uses cookies to improve your browsing experience, perform analytics and research, and conduct advertising. Accept all cookies to indicate that you agree to our use of cookies on your device. Atlassian cookies and tracking notice, (opens new window)
Incorrect host in Location header when creating resources via ReST
Description
In the following request/response to the ReST API:
$ curl -v -u admin:admin -H "Content-Type: application/json" -X POST -d '{"foreign-source":"test2","node":[]}' http://127.0.0.1:8980/opennms/rest/requisitions
* Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 8980 (#0)
* Server auth using Basic with user 'admin'
> POST /opennms/rest/requisitions HTTP/1.1
> Authorization: Basic YWRtaW46YWRtaW4=
> User-Agent: curl/7.40.0
> Host: 127.0.0.1:8980
> Accept: */*
> Content-Type: application/json
> Content-Length: 36
>
* upload completely sent off: 36 out of 36 bytes
< HTTP/1.1 303 See Other
< Set-Cookie: JSESSIONID=f6xa2855mfd113a1zoeambgkp;Path=/opennms
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Location: http://localhost:8980/opennms/rest/requisitions/test1
< Date: Thu, 10 Sep 2015 01:12:22 GMT
< Content-Length: 0
< Server: Jetty(8.1.10.v20130312)
<
* Connection #0 to host 127.0.0.1 left intact
The host in the returned Location header is set to localhost:8980, which differs from the host in the request 127.0.0.1:8980.
As originally reported in NMS-7845 this can cause authentication errors, since existing session cookies attached to the 127.0.0.1:8980 host will no longer be used when following the redirect to localhost:8980.
CXF 3.1.5 was released, I'll work up updating it in foundation-2016.
Alejandro Galue January 29, 2016 at 12:56 PM
Edited
I think @Benjamin Reed is right. On a CentOS VM, the Location header for the last foundation-2016 RPMs is correct (check the new screenshot).
Alejandro Galue January 29, 2016 at 12:14 PM
Edited
Clearly, you can see that a request against demo.opennms.org, returns localhost on the Location header of the 303 response, which is incorrect by definition.
Benjamin Reed January 29, 2016 at 12:14 PM
Demo is reverse-proxied with apache in front of it, so maybe something related to that is messing things up?
In the following request/response to the ReST API:
$ curl -v -u admin:admin -H "Content-Type: application/json" -X POST -d '{"foreign-source":"test2","node":[]}' http://127.0.0.1:8980/opennms/rest/requisitions * Trying 127.0.0.1... * Connected to 127.0.0.1 (127.0.0.1) port 8980 (#0) * Server auth using Basic with user 'admin' > POST /opennms/rest/requisitions HTTP/1.1 > Authorization: Basic YWRtaW46YWRtaW4= > User-Agent: curl/7.40.0 > Host: 127.0.0.1:8980 > Accept: */* > Content-Type: application/json > Content-Length: 36 > * upload completely sent off: 36 out of 36 bytes < HTTP/1.1 303 See Other < Set-Cookie: JSESSIONID=f6xa2855mfd113a1zoeambgkp;Path=/opennms < Expires: Thu, 01 Jan 1970 00:00:00 GMT < Location: http://localhost:8980/opennms/rest/requisitions/test1 < Date: Thu, 10 Sep 2015 01:12:22 GMT < Content-Length: 0 < Server: Jetty(8.1.10.v20130312) < * Connection #0 to host 127.0.0.1 left intactThe host in the returned Location header is set to localhost:8980, which differs from the host in the request 127.0.0.1:8980.
As originally reported in NMS-7845 this can cause authentication errors, since existing session cookies attached to the 127.0.0.1:8980 host will no longer be used when following the redirect to localhost:8980.