Uploaded image for project: 'JBoss Web Server'
  1. JBoss Web Server
  2. JWS-89

SSLValve should check for multiple headers

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Critical
    • JWS 3.0.1 CR2
    • JWS 3.0.0 GA, JWS 3.0.1 DR1, JWS 3.0.1 CR1, JWS 3.0.1 CR2
    • tomcat7, tomcat8
    • None
    • Release Notes
    • Hide
      There was a shortcoming in `SSLValve`, in that it only looked for a single `ssl_client_cert` header, when it should also haved looked for multiple additional `ssl_client_cert` headers to account for `X-Forwarded-For` headers as well.

      This issue is resolved in this release, and `SSLValve` now correctly checks for multiple `ssl_client_cert` headers.
      Show
      There was a shortcoming in `SSLValve`, in that it only looked for a single `ssl_client_cert` header, when it should also haved looked for multiple additional `ssl_client_cert` headers to account for `X-Forwarded-For` headers as well. This issue is resolved in this release, and `SSLValve` now correctly checks for multiple `ssl_client_cert` headers.
    • Documented as Resolved Issue

    Description

      This is perhaps rather a shortcoming than a bug per se. It is present in JBossWeb delivered with EAP 6.3.0 and it has been fixed in jbossweb-7.5.4.Final delivered with EAP 6.4.0 Beta. Both Tomcat 8 and Tomcat 7 in JWS3 don't have the patch.

      Notes:

      WDYT?

      Attachments

        Activity

          People

            rmaucher Remy Maucherat
            rmarwaha@redhat.com Richa Marwaha
            Michal Karm Michal Karm
            Lucas Costi Lucas Costi (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: