When using a reverse proxy to access AS7 console and a browser that sets the header Origin, 403 is returned due to mismatch between Origin and Host headers.

Run the server on localhost for example by:

bin/domain.sh

Run apache httpd with the following configuration (e.g. in /etc/httpd/conf.d/proxy_console.conf):

ProxyPassReverseCookieDomain localhost <your server public hostname>
ProxyPassReverse / http://localhost:9990/
ProxyPass        / http://localhost:9990/

These should work:
open http://<your server public hostname> with firefox or IE - this should work
curl -v -u "adminusername:adminpassword" --digest http://localhost:9990/management/ # on the server this should work

These fail:
open http://<your server public hostname> with chromium
curl -v -u "adminusername:adminpassword" -H "Origin: http://<your server public hostname>" --digest http://localhost:9990/management/

What happens is that Chromium sets the Origin header to the server public IP hostname. mod_proxy keeps that header but sets Host to localhost:9990. The domain management handler sees the mismatch and returns 403. Firefox and IE do not set that header so they work.

That protection of the domain management api was introduced in:
https://issues.jboss.org/browse/AS7-2400
https://github.com/jbossas/jboss-as/commit/29cf3610d8dab1af0227842d877b926543b72273