OAuth with Barracuda Load Balancer

[taroquu]

I'm setting up OAuth for the first time and things were going well in our testing environment - all working ok. However as soon as we deployed to our live server which works through the Barracuda Load Balancer every single request was unauthorised.

The load balancer is working as a proxy. It terminates incoming requests from the client and creates a new one - the new one is identical with the exception of SSL offloading.

Is it the SSL offloading that is likely to be causing this issue? Or perhaps something else.

Thanks for any help you can offer.

[stoicflame]

I think you'll need to supply some additional information. Why exactly are the requests saying unauthorized? Is it because there's no oauth token found? Is it because there's no session? Stack traces would be helpful.

[taroquu]

It works just fine when I send requests directly to the server, so it must be load balancer.

Here's the stack:

org.springframework.security.oauth.consumer.OAuthR equestFailedException: OAuth authentication failed: Unauthorized
at org.springframework.security.oauth.consumer.CoreOA uthConsumerSupport.readResource(CoreOAuthConsumerS upport.java:221)
at org.springframework.security.oauth.consumer.CoreOA uthConsumerSupport.getTokenFromProvider(CoreOAuthC onsumerSupport.java:399)
at org.springframework.security.oauth.consumer.CoreOA uthConsumerSupport.getUnauthorizedRequestToken(Cor eOAuthConsumerSupport.java:95)
at com.gamma.purple.hpbx.auth.AutoLoginHelper.getRequ estToken(AutoLoginHelper.java:114)
at com.gamma.purple.hpbx.auth.AutoLoginHelper.getAuto LoginURL(AutoLoginHelper.java:180)
at com.gamma.purple.hpbx.auth.OAuthRedirectionLoginSe lT.obtainAndAuthoriseToken(OAuthRedirectionLoginSe lT.java:109)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Nativ e Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Native MethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(De legatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.junit.runners.model.FrameworkMethod$1.runRefle ctiveCall(FrameworkMethod.java:44)
at org.junit.internal.runners.model.ReflectiveCallabl e.run(ReflectiveCallable.java:15)
at org.junit.runners.model.FrameworkMethod.invokeExpl osively(FrameworkMethod.java:41)
at org.junit.internal.runners.statements.RunBefores.e valuate(RunBefores.java:27)
at org.springframework.test.context.junit4.statements .RunBeforeTestMethodCallbacks.evaluate(RunBeforeTe stMethodCallbacks.java:74)
at org.junit.internal.runners.statements.RunAfters.ev aluate(RunAfters.java:31)
at org.springframework.test.context.junit4.statements .RunAfterTestMethodCallbacks.evaluate(RunAfterTest MethodCallbacks.java:82)
at org.springframework.test.context.junit4.statements .SpringRepeat.evaluate(SpringRepeat.java:72)
at org.springframework.test.context.junit4.SpringJUni t4ClassRunner.runChild(SpringJUnit4ClassRunner.jav a:240)
at org.junit.runners.BlockJUnit4ClassRunner.runChild( BlockJUnit4ClassRunner.java:49)
at org.junit.runners.ParentRunner$3.run(ParentRunner. java:193)
at org.junit.runners.ParentRunner$1.schedule(ParentRu nner.java:52)
at org.junit.runners.ParentRunner.runChildren(ParentR unner.java:191)
at org.junit.runners.ParentRunner.access$000(ParentRu nner.java:42)
at org.junit.runners.ParentRunner$2.evaluate(ParentRu nner.java:184)
at org.springframework.test.context.junit4.statements .RunBeforeTestClassCallbacks.evaluate(RunBeforeTes tClassCallbacks.java:61)
at org.springframework.test.context.junit4.statements .RunAfterTestClassCallbacks.evaluate(RunAfterTestC lassCallbacks.java:70)
at org.junit.runners.ParentRunner.run(ParentRunner.ja va:236)
at org.springframework.test.context.junit4.SpringJUni t4ClassRunner.run(SpringJUnit4ClassRunner.java:180 )
at org.eclipse.jdt.internal.junit4.runner.JUnit4TestR eference.run(JUnit4TestReference.java:49)
at org.eclipse.jdt.internal.junit.runner.TestExecutio n.run(TestExecution.java:38)
at org.eclipse.jdt.internal.junit.runner.RemoteTestRu nner.runTests(RemoteTestRunner.java:467)
at org.eclipse.jdt.internal.junit.runner.RemoteTestRu nner.runTests(RemoteTestRunner.java:683)
at org.eclipse.jdt.internal.junit.runner.RemoteTestRu nner.run(RemoteTestRunner.java:390)
at org.eclipse.jdt.internal.junit.runner.RemoteTestRu nner.main(RemoteTestRunner.java:197)


Here's the request

POST /oauth/request_token HTTP/1.1
Authorization: OAuth oauth_consumer_key="GammaPortal", oauth_nonce="7b684483-5daf-4aa6-a520-a8c4d66070ad", oauth_signature="OIc%2BO5YpUsCKc%2FSAq6ta6jLBVIfKi N2S%2Fw6Lhd6cNnXo7S%2FF19rFWrnSoKp8hvNF5jZ24lZa1zC cVP8dCGhzIs%2BsGYKZkTo3Lt4AE%2BJlso7mEPWc4uTspzti5 9t4vdu9dCCc5h8FSYoEV8OJ8OLod56lkiiqzbJR%2FLGnvLuW% 2FsM%3D", oauth_signature_method="RSA-SHA1", oauth_timestamp="1314362751", oauth_version="1.0"
Content-Type: application/x-www-form-urlencodedUser-Agent: Java/1.5.0_11
Host: www.portal-administration.unlimitedhorizon.co.uk
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2Connection: keep-aliveHTTP/1.1 401
UnauthorizedServer: Apache-Coyote/1.1WWW-Authenticate: OAuthContent-Type: text/html;charset=utf-8Content-Length: 1095Date: Fri, 26 Aug 2011 12:45:51 GMT

and the full response
POST /oauth/request_token HTTP/1.1Authorization: OAuth oauth_consumer_key="GammaPortal", oauth_nonce="7b684483-5daf-4aa6-a520-a8c4d66070ad", oauth_signature="OIc%2BO5YpUsCKc%2FSAq6ta6jLBVIfKi N2S%2Fw6Lhd6cNnXo7S%2FF19rFWrnSoKp8hvNF5jZ24lZa1zC cVP8dCGhzIs%2BsGYKZkTo3Lt4AE%2BJlso7mEPWc4uTspzti5 9t4vdu9dCCc5h8FSYoEV8OJ8OLod56lkiiqzbJR%2FLGnvLuW% 2FsM%3D", oauth_signature_method="RSA-SHA1", oauth_timestamp="1314362751", oauth_version="1.0" Content-Type: application/x-www-form-urlencodedUser-Agent: Java/1.5.0_11Host: http://www.portal-administration.unl...n.co.ukAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2Connection: keep-aliveHTTP/1.1 401 UnauthorizedServer: Apache-Coyote/1.1WWW-Authenticate: OAuthContent-Type: text/html;charset=utf-8Content-Length: 1095Date: Fri, 26 Aug 2011 12:45:51 GMT<html><head><title>Apache Tomcat/6.0.32 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 401 - Invalid signature for signature method RSA-SHA1</h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u>Invalid signature for signature method RSA-SHA1</u></p><p><b>description</b> <u>This request requires HTTP authentication (Invalid signature for signature method RSA-SHA1).</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/6.0.32</h3></body></html>

[stoicflame]

The key message there is "Invalid signature for signature method RSA-SHA1". Perhaps it has something to do with the host name that is calculated? Is the "Host" header different when you go through the load balancer than when you hit the server directly? Maybe you have to force the consumer or provider to use a specific host?

[maralc]

I had the same problem here with F5 and SSL termination. The problem is that the host with "https://" is calculated in the signature by the consumer and the provider checks the signature using "http://" that is what it sees after the SSL got terminated by the load balancer.

To fix it I did a lot of hacking to force the server to just do redirects with "https://" and to always use "https://" when calculating signatures. I had the option to use just https though.

Cheers
Marcelo