[oae-dev] [oae-production] Server Protection Service HMAC creation breaks when app and content server are both on SSL

Daniel Parry daniel at caret.cam.ac.uk
Mon Oct 3 05:09:35 PDT 2011 

On Fri, Sep 30, 2011 at 09:14:17AM -0700, Ray Davis wrote:
> I happened 
> to hit the problem on our CalCentral deployment and fixed it via a new 
> configuration property:
> 
> http://groups.google.com/group/sakai-kernel/browse_thread/thread/6519c7e02cb89cf8/178de6e006c8ff45
> https://jira.sakaiproject.org/browse/KERN-2088
> 
> Here is how we took advantage of the new feature locally:
> 
> https://github.com/ets-berkeley-edu/myberkeley/commit/2bccbb0a18936b3898e4d673f06d5b5612d755a5
> 
> The problem with the old Cambridge patch is that it assumed the only 
> difference between the external (in front of httpd) untrusted URL and 
> the internal (behind httpd) untrusted URL would be the protocol string. 
> This is not a documented restriction of the Server Protection Service 
> and doesn't match our local deployment.

Hi Ray,

I'm guessing your local deployment must be something other than
that indicated by:

https://github.com/ets-berkeley-edu/myberkeley/commit/2bccbb0a18936b3898e4d673f06d5b5612d755a5

since in that commit the only differences I see are in the
protocol string https vs http?

The configuration change seems to work for us, too. I say "seems"
as the logs indicate things are working, though the content
preview service operation that I was using to test this change
still seems to be failing, but that's another thread :)

This seems like a tricky config to apply for a newbie deployer? It
basically seems to equate to: 'you'll need to enter in here the
value you think will end up at your nakamura instance, rather than
the entry point one which you might expect to put here. If you're
not sure what that might be then changing https to http might be a
good guess'.

I would think most people would not know what to configure here
really until they fire up the system, eventually enable debug on
http.usercontent and get the log entry that suggests the backend
is seeing http instead of https (probably in most cases - given
the config you linked to and our own).

As such, I'd like to suggest dropping the protocol from the HMAC
comparison as a default and leaving the option in to configure a
more fine grained difference if necessary might avoid this
becoming an FAQ for future deployers? WDYT?

Best wishes,

Daniel

-- 
--| Daniel Parry: daniel at caret.cam.ac.uk. www.caret.cam.ac.uk/ |--
COBOL:
            "An exercise in Artificial Inelegance."

More information about the oae-dev mailing list