Matteo (
https://osgeo-org.atlassian.net/secure/ViewProfile.jspa?accountId=70121%3A2eb48c05-0662-4618-bc71-49e44cb72881
) *created* an issue
GeoServer (
https://osgeo-org.atlassian.net/browse/GEOS?atlOrigin=eyJpIjoiMTIzNzIzNzI3OGI1NDQ3MWE0YzU4MzdmNTE3ZmQ2MWYiLCJwIjoiaiJ9
) / Bug (
https://osgeo-org.atlassian.net/browse/GEOS-10158?atlOrigin=eyJpIjoiMTIzNzIzNzI3OGI1NDQ3MWE0YzU4MzdmNTE3ZmQ2MWYiLCJwIjoiaiJ9
) GEOS-10158 (
https://osgeo-org.atlassian.net/browse/GEOS-10158?atlOrigin=eyJpIjoiMTIzNzIzNzI3OGI1NDQ3MWE0YzU4MzdmNTE3ZmQ2MWYiLCJwIjoiaiJ9
) POST request -> j_spring_security_check is in http plain even if geoserver
is running under https. (
https://osgeo-org.atlassian.net/browse/GEOS-10158?atlOrigin=eyJpIjoiMTIzNzIzNzI3OGI1NDQ3MWE0YzU4MzdmNTE3ZmQ2MWYiLCJwIjoiaiJ9
)
Issue Type: Bug Affects Versions: 2.19.1, 2.20-RC Assignee: Unassigned Created:
23/Jul/21 10:00 AM Environment:
Ubuntu 18.04
Tomcat 9
Nginx
Geoserver 2.20 snapshot and 2.19.1
Priority: Medium Reporter: Matteo (
https://osgeo-org.atlassian.net/secure/ViewProfile.jspa?accountId=70121%3A2eb48c05-0662-4618-bc71-49e44cb72881
)
Hello guys,
I recently ran into a problem using geoserver 2.20 and 2.19.1. Basically, when
we use geoserver, with a reverse proxy in front, despite the Proxy Base URL is
set correctly with the https:// protocol and the proxy base url is correctly
valid reporting https:// (I checked from the getcapabilities), on the geoserver
home page, the POST call to the *j_spring_security_check* file remains in
http:// instead of being correctly in https://. This causes an alert from the
browsers because they highlight how the site content is not completely in https
but there are references to the simple http. This also let the browser display
an alert before to do the POST asking customer if they are sure to send data
over an insecure channel.
I noticed that this problem is not present in version 2.18.1, where the POST
call is correctly made to " *../j_spring_security_check* " instead of using an
absolute path that start with http://
Example what I'm getting using 2.20 and 2.19.1
_<form style="display: inline-block;" method="post"
action="http://$domain/geoserver/j_spring_security_check";>
_
Example what I'm getting using 2.18.1
<form style="display: inline-block;" method="post"
action="../j_spring_security_check">
Thanks in advance.
(
https://osgeo-org.atlassian.net/browse/GEOS-10158#add-comment?atlOrigin=eyJpIjoiMTIzNzIzNzI3OGI1NDQ3MWE0YzU4MzdmNTE3ZmQ2MWYiLCJwIjoiaiJ9
) Add Comment (
https://osgeo-org.atlassian.net/browse/GEOS-10158#add-comment?atlOrigin=eyJpIjoiMTIzNzIzNzI3OGI1NDQ3MWE0YzU4MzdmNTE3ZmQ2MWYiLCJwIjoiaiJ9
)
Get Jira notifications on your phone! Download the Jira Cloud app for Android (
https://play.google.com/store/apps/details?id=com.atlassian.android.jira.core&referrer=utm_source%3DNotificationLink%26utm_medium%3DEmail
) or iOS (
https://itunes.apple.com/app/apple-store/id1006972087?pt=696495&ct=EmailNotificationLink&mt=8
) This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100170-
sha1:3371920 )
_______________________________________________
Geoserver-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
