search

OpenWIS / openwis

http://openwis.github.io/openwis
GNU General Public License v3.0
11 stars 15 forks source link

GeoNetwork MetaData Portal Redirects To HTTP Port 80 #416

Open mgiannoni opened 1 year ago

mgiannoni commented 1 year ago

Full HTTPs port 443 implementation still redirects to HTTP port 80

Apache Frontend Configured For HTTPs

Implemented Apache frontend using IG-OpenWIS-3.16 Installation Guide

Security Service Circle of Trust configured for HTTPs

COT-Settings

Servers & Sites Settings

Servers-Sites-Settings

Portal Federation Services Configured For HTTPs

Portal SAML2 Fedlet

> <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="AdminPortal">
> <SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://giscdev-washington.mdl.nws.noaa.gov/openwis-admin-portal/fedletSloRedirect" ResponseLocation="https://giscdev-washington.mdl.nws.noaa.gov/openwis-admin-portal/fedletSloRedirect"/>
> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://giscdev-washington.mdl.nws.noaa.gov/openwis-admin-portal/fedletSloPOST" ResponseLocation="https://giscdev-washington.mdl.nws.noaa.gov/openwis-admin-portal/fedletSloPOST"/>
> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://giscdev-washington.mdl.nws.noaa.gov/openwis-admin-portal/fedletSloSoap"/>
> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
> <AssertionConsumerService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://giscdev-washington.mdl.nws.noaa.gov/openwis-admin-portal/openWisAuthorization"/>
> <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://giscdev-washington.mdl.nws.noaa.gov/openwis-admin-portal/openWisAuthorization"/>
> </SPSSODescriptor>
> <RoleDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query" xsi:type="query:AttributeQueryDescriptorType" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"/>
> <XACMLAuthzDecisionQueryDescriptor WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"/>
> </EntityDescriptor>

OpenAM IDP Services

IDP-Services

OpenAM SP openwis-admin-portal Services

SP-Services

Apache Frontend Logging Still Showing HTTP port 89

137.75.80.24 - - [08/Feb/2023:15:35:47 +0000] "GET /openam/UI/Login?realm=/&spEntityID=AdminPortal&goto=http%3A%2F%2Fgiscdev-washington.mdl.nws.noaa.gov%2Fopenam%2FSSORedirect%2FmetaAlias%2Fidp%3FReqID%3Ds2f032a37358dab87eab3d7c111dbccc33182c8bcf%26index%3Dnull%26acsURL%3Dhttps%253A%252F%252Fgiscdev-washington.mdl.nws.noaa.gov%252Fopenwis-admin-portal%252FopenWisAuthorization%26spEntityID%3DAdminPortal%26binding%3Durn%253Aoasis%253Anames%253Atc%253ASAML%253A2.0%253Abindings%253AHTTP-POST HTTP/1.1" 301 700 137.75.80.24 - - [08/Feb/2023:15:36:02 +0000] "GET /openam/SSORedirect/metaAlias/idp?ReqID=s2f032a37358dab87eab3d7c111dbccc33182c8bcf&index=null&acsURL=https%3A%2F%2Fgiscdev-washington.mdl.nws.noaa.gov%2Fopenwis-admin-portal%2FopenWisAuthorization&spEntityID=AdminPortal&binding=urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Abindings%3AHTTP-POST HTTP/1.1" 301 555 137.75.80.24 - - [08/Feb/2023:15:36:02 +0000] "GET /openam/SSORedirect/metaAlias/idp?resInfoID=s2e8ec265a28905cbe182264b074d5b8cbc0c94e01 HTTP/1.1" 301 337 137.75.80.24 - - [08/Feb/2023:15:36:02 +0000] "GET /openwis-admin-portal/openWisGetToken HTTP/1.1" 301 288 137.75.80.24 - - [08/Feb/2023:15:36:53 +0000] "-" 408 - 137.75.80.24 - - [08/Feb/2023:15:37:09 +0000] "GET /openam/UI/Login?realm=/&spEntityID=AdminPortal&goto=http%3A%2F%2Fgiscdev-washington.mdl.nws.noaa.gov%2Fopenam%2FSSORedirect%2FmetaAlias%2Fidp%3FReqID%3Ds20608142ccc90ec13c61a7799646bd2462a41dfdb%26index%3Dnull%26acsURL%3Dhttps%253A%252F%252Fgiscdev-washington.mdl.nws.noaa.gov%252Fopenwis-admin-portal%252FopenWisAuthorization%26spEntityID%3DAdminPortal%26binding%3Durn%253Aoasis%253Anames%253Atc%253ASAML%253A2.0%253Abindings%253AHTTP-POST HTTP/1.1" 301 700 137.75.80.24 - - [08/Feb/2023:15:37:22 +0000] "GET /openam/SSORedirect/metaAlias/idp?ReqID=s20608142ccc90ec13c61a7799646bd2462a41dfdb&index=null&acsURL=https%3A%2F%2Fgiscdev-washington.mdl.nws.noaa.gov%2Fopenwis-admin-portal%2FopenWisAuthorization&spEntityID=AdminPortal&binding=urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Abindings%3AHTTP-POST HTTP/1.1" 301 555 137.75.80.24 - - [08/Feb/2023:15:37:22 +0000] "GET /openam/SSORedirect/metaAlias/idp?resInfoID=s2731806b0b3a7797cb34de4bfdd5e4921e8fb2f01 HTTP/1.1" 301 337 137.75.80.24 - - [08/Feb/2023:15:37:23 +0000] "GET /openwis-admin-portal/openWisGetToken HTTP/1.1" 301 288 137.75.80.24 - - [08/Feb/2023:15:38:13 +0000] "-" 408 -

Source Code Bread-Crumbs

This function constructs a URL without any consideration of the HTTP/HTTPs protocol.

./openwis-metadataportal/openwis-portal/src/main/java/org/fao/geonet/kernel/DataManager.java

//--------------------------------------------------------------------------- public String getSiteURL() { String host = settingMan.getValue("system/server/host"); String port = settingMan.getValue("system/server/port"); String locServ = baseURL + "/" + Jeeves.Prefix.SERVICE + "/en"; return "http://" + host + (port.equals("80") ? "" : ":" + port) + locServ; } //--------------------------------------------------------------------------

This appears to be used in several locations:

find . -name *.java -exec grep -i getSiteURL {} \; -print | egrep 'java$' ./openwis-metadataportal/openwis-portal/src/main/java/org/fao/geonet/guiservices/util/GetSiteURL.java ./openwis-metadataportal/openwis-portal/src/main/java/org/fao/geonet/kernel/DataManager.java ./openwis-metadataportal/openwis-portal/src/main/java/org/fao/geonet/kernel/harvest/harvester/fragment/FragmentHarvester.java ./openwis-metadataportal/openwis-portal/src/main/java/org/fao/geonet/kernel/harvest/harvester/metadatafragments/Harvester.java ./openwis-metadataportal/openwis-portal/src/main/java/org/fao/geonet/kernel/harvest/harvester/thredds/Harvester.java ./openwis-metadataportal/openwis-portal/src/main/java/org/fao/geonet/kernel/oaipmh/Lib.java ./openwis-metadataportal/openwis-portal/src/main/java/org/fao/geonet/kernel/oaipmh/OaiPmhDispatcher.java ./openwis-metadataportal/openwis-portal/src/main/java/org/fao/geonet/kernel/oaipmh/services/Identify.java ./openwis-metadataportal/openwis-portal/src/main/java/org/fao/geonet/kernel/setting/SettingInfo.java ./openwis-metadataportal/openwis-portal/src/main/java/org/fao/geonet/services/metadata/PrepareFileDownload.java ./openwis-metadataportal/openwis-portal/src/main/java/org/fao/geonet/services/register/SelfRegister.java ./openwis-metadataportal/openwis-portal/src/main/java/org/openwis/metadataportal/kernel/metadata/MetadataManager.java ./openwis-metadataportal/openwis-portal/src/main/java/org/openwis/metadataportal/services/register/SelfRegister.java

yvesgoupil commented 1 year ago

Marc, I had a simlilar issue, Yannick Lizzi told me to add in /etc/httpd/conf/httpd.conf

# HTTP Strict Transport Security (mod_headers is required) (63072000 seconds) Header always set Strict-Transport-Security "max-age=63072000"

Could you test it? Yves.

mgiannoni commented 1 year ago

Yves: This appears to fix the problem using browser side support for enforcing HTTPs transport security. However the issue in the code remains where HTTP 302 redirects set the "Location" header to plain old "http://:80"

GeoNetwork-GetSiteURL-Bug

mgiannoni commented 1 year ago

Yves:

Yes this fixes the problem. The GeoNetwork code still does the wrong thing when forming the HTTP 302 redirect by setting the "Location:" header to plain "http://" port:80

Thanks! Marc Giannoni Unix System Engineer, Guidehouse Phone: 301.427.9478 Cell: 301.915.5266

On Thu, Feb 9, 2023 at 10:38 AM yvesgoupil @.***> wrote:

Marc, I had a simlilar issue, Yannick Lizzi told me to had in /etc/httpd/conf/httpd.conf

HTTP Strict Transport Security (mod_headers is required) (63072000

seconds) Header always set Strict-Transport-Security "max-age=63072000"

Could you test it? Yves.

— Reply to this email directly, view it on GitHub https://github.com/OpenWIS/openwis/issues/416#issuecomment-1424392612, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADYWE7SMH5SOK2B6KQWATKLWWUFN5ANCNFSM6AAAAAAUVN4U5A . You are receiving this because you authored the thread.Message ID: @.***>

yvesgoupil commented 1 year ago

Marc: Perfect, this issue could be close. I set the labels to "Close me".

Yves.