Details
-
Bug
-
Resolution: Won't Do
-
Major
-
None
-
JBossAS-4.0.2 Final
-
None
Description
In order to implement IP-based virtual hosts in JBoss 4.0.2, two <Connector>s (each of which binds to a different IP address to implement the IP-based virtual hosts) must be put together in the same <Service>, with each vritual host defined in separate <Host> sections within the same <Engine>.
<Server>
<Service>
<Connector port="9443" address="10.0.0.1"/>
<Connector port="9443" address="10.0.0.2"/>
<Engine defaultHost="vhost1">
<Realm/>
<Host name="vhost1">
<Alias>www.foo.com</Alias>
<DefaultContext/>
<Valve/>
</Host>
<Host name="vhost2">
<Alias>www.bar.com</Alias>
<DefaultContext/>
<Valve/>
</Host>
</Engine>
</Service>
</Server>
This presents a potential security issue in that a request that comes in the <Connector> for vhost1 may be handled by the <Host> for vhost2 with a specially-crafted Host: HTTP header. (NOTE: I have not tested this myself, but it's fairly clear that there is no specific binding between a <Connector> and a <Host> in this configuration.)
It should be possible to separate the IP-based virtual hosts so that traffic from one virtual host can't be handled by another one. I would expect JBoss to support a configuration file like this, although this doesn't work in practice:
<Server>
<Service name="jboss.web">
<Connector port="9443" address="10.0.0.1"/>
<Engine defaultHost="vhost1">
<Realm/>
<Host name="vhost1">
<Alias>www.foo.com</Alias>
<DefaultContext/>
<Valve/>
</Host>
</Engine>
</Service>
<Service name="jboss.web2">
<Connector port="9443" address="10.0.0.2"/>
<Engine defaultHost="vhost2">
<Realm/>
<Host name="vhost2">
<Alias>www.bar.com</Alias>
<DefaultContext/>
<Valve/>
</Host>
</Engine>
</Service>
</Server>
Note that XML tag attributes that don't pertain specifically to this bug have been left out of the examples above.
