[Geoserver-devel] [JIRA] (GEOS-10158) POST request -> j_spring_security_check is in http plain even if geoserver is running under https.

Matteo created an issue

GeoServer / BugGEOS-10158

POST request -> j_spring_security_check is in http plain even if geoserver is running under https.

Issue Type:

BugBug

Affects Versions:

2.19.1, 2.20-RC

Assignee:

Unassigned

Created:

23/Jul/21 10:00 AM

Environment:

Ubuntu 18.04
Tomcat 9
Nginx
Geoserver 2.20 snapshot and 2.19.1

Priority:

MediumMedium

Reporter:

Matteo

Hello guys,
I recently ran into a problem using geoserver 2.20 and 2.19.1. Basically, when we use geoserver, with a reverse proxy in front, despite the Proxy Base URL is set correctly with the https:// protocol and the proxy base url is correctly valid reporting https:// (I checked from the getcapabilities), on the geoserver home page, the POST call to the j_spring_security_check file remains in http:// instead of being correctly in https://. This causes an alert from the browsers because they highlight how the site content is not completely in https but there are references to the simple http. This also let the browser display an alert before to do the POST asking customer if they are sure to send data over an insecure channel.

I noticed that this problem is not present in version 2.18.1, where the POST call is correctly made to “…/j_spring_security_check” instead of using an absolute path that start with http://

Example what I’m getting using 2.20 and 2.19.1

_<form style=“display: inline-block;” method=“post” action=“http://$domain/geoserver/j_spring_security_check”>
_
Example what I’m getting using 2.18.1

<form style=“display: inline-block;” method=“post” action=“…/j_spring_security_check”>

Thanks in advance.

Add Comment

Add Comment

Get Jira notifications on your phone! Download the Jira Cloud app for Android or iOS


This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100170-sha1:3371920)

Atlassian logo