0024795: If Openbravo is behind a proxy server that uses https. Login page is forwarded with protocol http.

Description

In the case there is a proxy server that exposes the Openbravo application using the https protocol, but request to Openbravo from the proxy uses http, then during the login process Openbravo sends a redirection to the menu with the protocol http and sending the username and password clear through the net.

This is because when redirecting to menu, Openbravo builds an absolute URL using the request that is http not https

Steps To Reproduce

In description

Proposed Solution

Instead of building an absolute URL, build a relative URL in redirections.
Attached a fix for the case of the redirection in the login process only.

Tags

No tags attached.

Attached Files

Fix-24795.patch [^] (4,723 bytes) 2013-09-19 13:14 [Show Content] [Hide Content]

diff --git a/src/org/openbravo/authentication/basic/DefaultAuthenticationManager.java b/src/org/openbravo/authentication/basic/DefaultAuthenticationManager.java
--- a/src/org/openbravo/authentication/basic/DefaultAuthenticationManager.java
+++ b/src/org/openbravo/authentication/basic/DefaultAuthenticationManager.java
@@ -124,7 +124,7 @@
     }
 
     // Storing target string to redirect after a successful login
-    variables.setSessionValue("target", strDireccionLocal + "/security/Menu.html"
+    variables.setSessionValue("target", request.getContextPath() + "/security/Menu.html"
         + (qString != null && !qString.equals("") ? "?" + qString : ""));
     if (qString != null && !qString.equals("")) {
       variables.setSessionValue("targetQueryString", qString);
diff --git a/src/org/openbravo/base/secureApp/LoginHandler.java b/src/org/openbravo/base/secureApp/LoginHandler.java
--- a/src/org/openbravo/base/secureApp/LoginHandler.java
+++ b/src/org/openbravo/base/secureApp/LoginHandler.java
@@ -93,7 +93,7 @@
           if (StringUtils.isEmpty(strUserAuth)) {
             throw new AuthenticationException("Message");// FIXME
           }
-          checkLicenseAndGo(res, vars, strUserAuth, strUser, sessionId, doRedirect);
+          checkLicenseAndGo(req, res, vars, strUserAuth, strUser, sessionId, doRedirect);
 
         } catch (AuthenticationException e) {
 
@@ -118,9 +118,9 @@
     }
   }
 
-  private void checkLicenseAndGo(HttpServletResponse res, VariablesSecureApp vars,
-      String strUserAuth, String username, String sessionId, boolean redirect) throws IOException,
-      ServletException {
+  private void checkLicenseAndGo(HttpServletRequest req, HttpServletResponse res,
+      VariablesSecureApp vars, String strUserAuth, String username, String sessionId,
+      boolean redirect) throws IOException, ServletException {
     OBContext.setAdminMode();
     try {
       ActivationKey ak = ActivationKey.getInstance(true);
@@ -287,7 +287,7 @@
       }
 
       // All checks passed successfully, continue logging in
-      goToTarget(res, vars, doRedirect);
+      goToTarget(req, res, vars, doRedirect);
     } finally {
       OBContext.restorePreviousMode();
     }
@@ -309,13 +309,13 @@
 
   }
 
-  private void goToTarget(HttpServletResponse response, VariablesSecureApp vars, boolean doRedirect)
-      throws IOException, ServletException {
+  private void goToTarget(HttpServletRequest request, HttpServletResponse response,
+      VariablesSecureApp vars, boolean doRedirect) throws IOException, ServletException {
 
     String target = vars.getSessionValue("target");
 
     if (target.equals("")) {
-      target = strDireccion + "/security/Menu.html";
+      target = request.getContextPath() + "/security/Menu.html";
     }
 
     if (OBVersion.getInstance().is30() && !doRedirect) {
diff --git a/src/org/openbravo/erpCommon/security/Menu.java b/src/org/openbravo/erpCommon/security/Menu.java
--- a/src/org/openbravo/erpCommon/security/Menu.java
+++ b/src/org/openbravo/erpCommon/security/Menu.java
@@ -26,7 +26,6 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import org.openbravo.base.HttpBaseServlet;
 import org.openbravo.base.filter.IsIDFilter;
 import org.openbravo.base.filter.ValueListFilter;
 import org.openbravo.base.model.Entity;
@@ -63,7 +62,7 @@
       ServletException {
     final String queryString = request.getQueryString();
     VariablesSecureApp vars = new VariablesSecureApp(request);
-    String targetmenu = getTargetMenu(vars, queryString);
+    String targetmenu = getTargetMenu(request, vars, queryString);
 
     // successfull login, redirect to the startpage if any
     if (!OBContext.getOBContext().isAdminContext() && request.getParameter("noprefs") == null) {
@@ -154,7 +153,8 @@
    * @return The URL string used for the right frame of the application
    * @throws ServletException
    */
-  private String getTargetMenu(VariablesSecureApp vars, String queryString) throws ServletException {
+  private String getTargetMenu(HttpServletRequest request, VariablesSecureApp vars,
+      String queryString) throws ServletException {
 
     final String[] allowedCommands = { "", "DEFAULT", "NEW", "EDIT", "GRID", "DIRECT" };
     final ValueListFilter listFilter = new ValueListFilter(allowedCommands);
@@ -170,7 +170,7 @@
         return "";
       }
       // Removing "url=" from query string
-      targetmenu = HttpBaseServlet.strDireccion + qString.substring(4);
+      targetmenu = request.getContextPath() + qString.substring(4);
 
       // Replacing first ampersand (&) with a question mark (?) to get a valid URL
       targetmenu = targetmenu.replaceFirst("&", "?");

Relationships [ Relation Graph ] [ Dependency Graph ]

Notes
(0081704) shuehner (administrator) 2015-11-11 13:14	Note: there is probably server config bug involved. As when having SSL termination done not in tomcat itself but in some other software before. You need to configure that software properly to tell tomcat that the outside global url is with ssl. When done correctly Openbravo will work just fine (ie. running live like that in all of ondemand). Note: That does not invalidate this issue, as not relying on this in some code make it more robust against that wrong configuration problem.

Issue History
Date Modified	Username	Field	Change
2013-09-19 13:13	adrianromero	New Issue
2013-09-19 13:13	adrianromero	Assigned To	=> AugustoMauch
2013-09-19 13:13	adrianromero	Modules	=> Core
2013-09-19 13:13	adrianromero	Triggers an Emergency Pack	=> No
2013-09-19 13:14	adrianromero	File Added: Fix-24795.patch
2013-09-19 13:30	shuehner	Issue Monitored: shuehner
2015-03-17 14:37	alostale	Assigned To	AugustoMauch => platform
2015-11-11 11:30	alostale	Priority	urgent => normal
2015-11-11 11:30	alostale	Severity	major => minor
2015-11-11 11:30	alostale	Status	new => acknowledged
2015-11-11 13:14	shuehner	Note Added: 0081704
2022-02-01 08:05	alostale	Assigned To	platform => Triage Platform Base