Does CORS-Anywhere work with URLs that are "protected" by web access control products like Oracle OAM, CA Sitemender, etc.? #378
Comments
|
Hi, I just found this on the help on the demo page: But the README.md on the github project page says
The protocols for the web access control products also rely on sending cookies and also query parameters during the authentication process, so do you think the out-of-box CORS-Anywhere would work? Also I wanted to test, using your demo, but when entering the URL to the demo I am getting this: Is that because, to use the demo, that your demo needs to be able to resolve the hostname in the URL that we enter? Thanks, EDIT: I should mention that the "test.whatever.com" hostname is a hostname that is in the c:\windows\system32\drivers\etc\hosts file of the Windows workstation that I am running the browser from. I was hoping that the hostname in the URL that I entered into the demo page would get resolved by that hosts file, but it sounds like the hostname actually has to be resolvable by (maybe) your demo server itself? Is that the case? Also, can an IP address be used in the URL that is entered into the demo page? Or, must it be a FQDN? |
No. It is not secure to enable cookies when the proxy is used to access multiple websites.
A third-party server cannot look in your local hosts file. That would be quite a security issue on your end.
An IP address or host name is valid. The list of valid TLDs is stored in https://github.com/Rob--W/cors-anywhere/blob/master/lib/regexp-top-level-domain.js |
|
Hi,i This test is using CORS Anywhere that is deployed on one of my test servers. Before I started testing with the protected resource, I have an almost identical "unprotected" test setup where the Javascript/XHR (in xhrtest/xhr-fakewava.html) is accessing a resource that is NOT protected, and when I test with this "unprotected" setup, the test works, i.e., the Javascript/XHR is able to retrieve the resource, using URL:
So then I made a new target resource, "wavatarget-charlieeastweb05/index.html" that is hosted on a machine that has an OAM webgate. I use an almost identifical HTML page with the Javascript/XHR, "xhrtest/xhr-fakewava-protectedpage.html". The only difference is the double-URL is different:
However, when I use the page with the XHR pointing to the protected resource, I get a 404 error, and in the browser web developer=>network=>Response, it has the following message:
I was searching the Issues and found issue 123, that mentions the same error, from that thread, it looks like that problem was fixed awhile ago? As I mentioned above, with a WAM like OAM, when a resource is protected, and a request is made for the resource, OAM will cause a 302/redirect, and in fact, in the Apache access_log, the last request I see shows a 302 response and the Location is set to one of the OAM endpoints: "+++LOCATION+++++ https://charlieeastweb04....com:14430/oam/server/.... +++++++++++++" I am guessing that when I do this test (XHR accessing protected resource), the browser is being re-directed to that OAM URL and then the error that is being shown in the browser web developer=>network=>Response occurs (the "self signed certificate in certificate chain"), but I not sure why that would happen, because when I point the same browser directory to the protected resource URL, I get a cert popup and after selecting a certificate, I can access the page. When that error occurs, can you tell me which component is getting the error? Is it the CORS Anywhere itself? Also which certificate chain is that error referring to? Jim EDIT: I just did another test where I just used the demo web app (on my system) and pointed it to the same URL: http://charlieeastweb......gxaws.com:7777/wavatarget-charlieeastweb05/index.html and I also got a 404 and the same error text in the demo web app text box. I was wondering if you could suggest where I might try to put some debug code, e.g., in the server.js or in the cors-anywhere itself? EDIT 1: FYI, I found this: and, only temporarily, I tried the suggestion of adding the
before starting the server.js, and it looks like I got further and I don't get that error, but am having some other problem (it doesn't look like I am authenticating successfully to OAM), so I need to figure out what is going on with that now... |
|
Hi Rob, I think I almost have CORS Anywhere working with a test OAM scenario, but: I currently am still having to do the "export NODE_TLS_REJECT_UNAUTHORIZED='0'" to avoid the "self-signed certificate in chain" problem. Is it possible to tweak the server.js or the CORS Anywhere code to import one of our CA certs so that I don't have to do that export? I am not 100% sure yet, but for my test with the protected resource, it is getting through the most of the flow, but I am still getting an "ENOENT"/404 error at the end. That error SEEMS to be saying that there is a problem with the hostname, but I stood up a new DNS server for this testing. OAM tends to return a 404 error when authentication fails, so I don't know for sure if the 404 error is because of an authentication error, or if there is because of something else like the name resolution. Another possibility is that the problem may be that cookies that are normally created as part of the OAM authentication (and which are used for authorization) are gone. Actually at the end, the browser doesn't seem to have any cookies at all. The lack of those cookies could also be causing the 404 error response. Is there any way that I can modify the server.js (or maybe something else), to NOT drop the cookies? For example I noticed this snippet in the server.js: If I removed the: Would that allow the cookies to not be dropped? Please advise. Thanks, EDIT: After much more testing, last night and today, I am starting to feel like the redirects that are supposed to happen when the request goes to the protected resource, are not even happening :(... The reason that I am starting to think this is:
Do you have any idea why the redirects might not be occurring? EDIT 2: For comparison, here's a screenshot of the web developer=>Network for a test request where I pointed the browser directly to a protected resource (the cgi-bin/printenv on an Apache):
As you can see, there are 4 302/redirects (due to the webgate), followed by the final 200/OK. Then, I used the same URL, but put it into the demo web text box and here is what the web developer=>Network looks like:
This time, there is only one request showing, with a 200/OK response... From the text in the left pane, the response page was an error page when the authentication failed. I read the help page, which says that it should be able for follow 5 redirects: So I am puzzled why the redirects do not seem to be happening? What could cause the redirects not to be followed? EDIT 3: I was re-reviewing the test that I did where I provided the screen shots above and for the one where there were 4 302/redirects, I wanted to mention that the initial request was http, but 2 of the redirects were to https (and one of the 2 is actually looking for a 2-way SSL handshake to get the user's client cert). Then I found this older issue/post: https://github.com/Rob--W/cors-anywhere/issues/27#issuecomment-108632963 and I was wondering if you think that any of the 5 suggestions you made might help me? In particular I am thinking of this one:
|
|
FYI, after re-examining some pcap files that I captured earlier, I am seeing "hints" that the redirects are actually occurring. I don't see (yet) the actual redirected requests themselves, but I am seeing the "X-CORS-Redirect-1" etc. response headers in one of the responses and also the "X-final-url" header. I am guessing that the reason that I don't see the actual requests corresponding to those URLs is that I haven't configured Wireshark to decrypt the SSL yet, which I am attempting to do now. I gather that the "x-final-url" means that is the final redirect in the chain of redirects? If so, the URL in that "x-final-url" header should not be the last URL in the chain of redirects (there should be more non-SSL redirects after the 2 SSL redirects that I see now). Jim EDIT: FYI, I have configured Wireshark for SSL decryption, and unfortunately the actual missing request/responses are still not appearing in Wireshark. |
|
Hi Rob, FYI, I wanted to update my situation:
Thanks, |
The cookie would not be dropped, but cookies are still stripped in the library. This is hard-coded at cors-anywhere/lib/cors-anywhere.js Lines 213 to 215 in 70aaa22 It is not secure at all to remove this, because it can result in leakage of credentials between proxied websites. I strongly advice against it, as I mentioned at https://github.com/Rob--W/cors-anywhere/pull/154#issuecomment-468649353 |
|
Hi Rob, Here's an update. I determined that the reason I wasn't able to see most of the request/response pairs before was because our dev environment is on AWS, and promiscuous monitoring doesn't work on AWS, so I have now put together a test environment that is running under VirtualBox. I think I now have a scenario that is almost close to the scenario that we were having earlier, and I have been able to capture packet captures. Even to get to this point, I had to add some Header directives in a in my Apache, because requests were coming in with "Origin" request headers, but the responses did not have the CORs response headers. It also looks like there are two places where there are requests with "Origin" headers with values, where the response is a 401. The requests that correspond to those 2 401 responses both have an "Origin" header, but one of the 401 responses has an "Access-Control-Allow-Origin" response header, and the other 401 response does not have an "Access-Control-Allow-Origin" response header. I think that because the request with the response without the ACAO response header is causing that 401 response to be blocked, and that is causing the the authentication to fail (this scenario is using BASIC authentication). Thus far, I cannot fix those last 2 using the Header directives, because those URLs are going directly to the WebLogic/OAM server. Would it be all right to send you the PCAP file? Thanks, EDIT: To be clear, because the 2 401 responses are being blocked, the rest of the protocol doesn't even happen, so there is more requests/response pairs that I still have not seen yet. |
|
Hi, I was able to find a different (what Oracle calls) "authentication scheme", which doesn't need redirects, so I changed the protection on the target URL in OAM to use that authentication scheme. This authentication scheme is using HTTP BASIC authentication (where you get a popup window to enter username and password). When I tested going directly (using a browser) to that protected resource, sure enough there are no redirects. I get the BASIC popup, enter my username and password, and then the browser receives the protected page. So I changed my test so that my Javascript/XHR does a GET on that protected URL with the CORS Anywhere URL (http://xxx:8080/) pre-pended to the protected URL. However when I test that, I don't get the Basic popup. Looking at the wireshark capture, I see the 401 response that has the "www-authenticate: Basic realm=xxxx" response header, which is supposed to be what causes the browser to present the popup window, so I've been looking at the 401 response when using the javascript/xhr and CORS Anywhere vs. going directly to the protected URL using a browser. Right now, the only thing that I see is: In the above, for the case where the request is from Javascript+XHR going through CORS Anywhere, to the protected resource, the 401 response has:
but when using a browser to go to the protected resource, the 401 response has: I've been trying to configure the Apache that is hosting the protected URL (an Apache server). I can get the Apache to inject the "Keep-Alive: timeout=5, max=100" response header using the Apache "Header" directive, but it seems like there is no way to replace the "Connection: close" with "Connection: Keep-Alive" (I can ADD to the Connection header, but I cannot remove the "close"). The reason that I am posting this is that I cannot determine for sure where the "Connection" response header is coming from. I don't think it is from the Apache that is hosting the target page, because that doesn't change between the 2 different cases. So I am wondering if it is possible that that "Connection: close" response header is being set in the response by CORS Anywhere? Thanks, |
|
Hi Rob, I just found this thread in SO: https://stackoverflow.com/questions/18499465/cors-and-http-basic-auth and specifically the response from "Brock Allen" on Aug 29, 2013: "If you're requesting credentials then the server must respond with the specific origin in the Access-Control-Allow-Origin response header (and thus can't use the wildcard *). Of course it would then also need to respond with Access-Control-Allow-Credentials response header too." And then I checked the 401 response that is going back to the browser in my Wireshark captures, and that 401 response does have: access-control-allow-origin: * So perhaps that (because of the *) may be preventing the browser from popping up the login window? I am not 100% sure where that response header is coming from, but I'm guessing that it may be from CORS Anywhere? If so, could CORS Anywhere be able to send back a header that doesn't have "*", but rather the value from the original "Origin" request header? FYI, here is the request captured: and here's the 401 response (to the BROWSER): So if that access-control-allow-origin header is from CORS Anywhere, could somehow CORS Anywhere be able to send back:
instead of:
?? Thanks, EDIT: It looks like the access-control-allow-origin header is being set to "*" here in the code: |
Hi,
We have a number of situations where our users use (XHR/Fetch) clients to access resources (URLs) that are on different domains, and where those resources are "protected" by something like a "web agent" (e.g., Oracle OAM webgate, CA Siteminder webagent, etc.). These web agents typically use redirects to cause the incoming browser request to produce a request to a different URL, which then communicates with the web access control product's server, so something like, in the case of these XHR clients:
XHR client (in browser) ==> Request to protected URL (in a different domain than the server that served the client code)
Access Product Web agent ==> Sends 302/redirect to client to a different Access product endpoint
XHR client follows the redirect (this request would have "Origin: null" due to the redirect)
Access product server consumes the request, "authenticates" the user, and sends 302/redirect to client, together with some Set-Cookie
XHR client ==> Request to protected URL but with Access product cookies
The above flow is somewhat high-level, but would a CORS-Anywhere server work with this scenario?
Thanks,
Jim
The text was updated successfully, but these errors were encountered: