Tagged “http”

Java: process http.proxyUser and http.proxyPassword

Published by cybso on

This is a post from my original site, which was hosted by the former blog service of the University of Osnabrück. I have moved it to the new site for archiving. Pages linked in this article may no longer work today, and the blog comments under the article no longer exist. Opinions expressed in this article reflect the point of view of the time of publication and do not necessarily reflect my opinion today.

Some tutorials suggest to use the system properties http.proxyUser and http.proxyPassword to get proxy authentication, but that won't work since - in contrast to http.proxyHost and http.proxyPort - these properties will not be processed by Java's HttpURLConnection.

Other suggest to use a custom default Authenticator. But that's dangerous because this would send your password to anybody who asks.

The following snippet contains some code that uses an Authenticator to process http.proxyUser, but ensures that these information will be sent to the host that is defined by http.proxyHost:

// Java ignores http.proxyUser. Here come's the workaround.
Authenticator.setDefault(new Authenticator() {
    @Override
    protected PasswordAuthentication getPasswordAuthentication() {
        if (getRequestorType() == RequestorType.PROXY) {
            String prot = getRequestingProtocol().toLowerCase();
            String host = System.getProperty(prot + ".proxyHost", "");
            String port = System.getProperty(prot + ".proxyPort", "");
            String user = System.getProperty(prot + ".proxyUser", "");
            String password = System.getProperty(prot + ".proxyPassword", "");

            if (getRequestingHost().toLowerCase().equals(host.toLowerCase())) {
                if (Integer.parseInt(port) == getRequestingPort()) {
                    // Seems to be OK.
                    return new PasswordAuthentication(user, password.toCharArray());  
                }
            }
        }
        return null;
    }  
});

Apache "Include" directive with wildcards

Published by cybso on

This is a post from my original site, which was hosted by the former blog service of the University of Osnabrück. I have moved it to the new site for archiving. Pages linked in this article may no longer work today, and the blog comments under the article no longer exist. Opinions expressed in this article reflect the point of view of the time of publication and do not necessarily reflect my opinion today.

Apache's include directive does not accept wildcards, so something like this won't be allowed:

Include /srv/www/vhosts/*/conf/vhost.conf

You can use mod_perl to realize this. Additionally, the following example does a simple permission check to ensure that the included file has not been modified by an ordinary user:

<perl>
    use File::stat;
    foreach $file (glob '/srv/www/vhosts/*/conf/vhost.conf') {
        my $stat = stat($file);
        if ($stat->uid != 0 || $stat->gid != 0) {
            warn "$file is not owned by root:root, skipping!\n";
            next;
        }
        if ($stat->mode & 0002) {
            warn "$file is world-writable, skipping!\n";
            next;
        }
        push @Include, $file;
    }
</perl>

Logout from HTTP auth using Apache

Published by cybso on

This is a post from my original site, which was hosted by the former blog service of the University of Osnabrück. I have moved it to the new site for archiving. Pages linked in this article may no longer work today, and the blog comments under the article no longer exist. Opinions expressed in this article reflect the point of view of the time of publication and do not necessarily reflect my opinion today.

Since there is no mechanism defined to log the user out of a HTTP authenticated session you have to use a workaround. Most browsers forget their login data once they received a 403 response. The problem is, that the user have to return to the normal starting page manually.

Update 2017-02-22: It seems that this technique doesn't work anymore in recent Firefox and Chrome browsers.

The following code, which can be embedded into an Apache VHost declaration, uses a cookie to send a 403 response to the browser the first time he requests "/logout", and redirects it to "/" on the second time. So the user can immediately login again if he want to.

Please note that the order of the declarations does matter! The Location-Block must be the last block which requires a user or group.

RewriteCond %{HTTP_COOKIE} ^.*logout=1.*$
RewriteRule ^/logout$ / [R,L,co=logout:0:%{HTTP_HOST}:0:/logout]                                                                                                         
RewriteRule ^/logout$ - [R,L,co=logout:1:%{HTTP_HOST}:0:/logout]
<Location /logout>
    Require user nonexistinguser
</Location>