Scipio ERP do not respect port.https.enabled property

[dram]

When I trying to change port.https.enabled property in framework/webapp/config/url.properties to N, Scipio ERP still redirect HTTP to HTTPS, which I think is incorrect.

Steps to reproduce:

1. Set port.https.enabled to N
2. Restart Scipio ERP
3. curl -v http://localhost:8080/admin/control/main

In step 3, server responses with 301 redirect, with location header set to https://localhost:8443/admin/control/main.

[dram]

With some more investigation, it seems that I also need to set secure-redirect-url-format to ofbiz-url to prevent https redirection.

And following are related code:

https://github.com/ilscipio/scipio-erp/blob/c396ff1decd435dd828a26bd771def33cf35aae3/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java#L436-L476

[pplx]

Hello! Thank for your for noticing this behavior.

Since at least version 2.0.0 Scipio ERP forces secure HTTPS protocol for most requests regardless of that setting, in controller, redirect and link-building code. So port.https.enabled=N would be considered deprecated. This change was made for security reasons, jsessionids in urls, simplifying setups and redirects.

If you need a specific plain HTTP request, in Scipio you can set <security https="false"/> in a controller request-map and it will be respected (this is different from upstream projects so you don't have to use http.request-map.list in url.properties) for that url. This exists mostly for special backend requests and never used in frontend shops these days.

[pplx]

We'll close this but feel free to comment again.

[dram]

Hi pplx,

Thank you for pointing about security configs in controller.

What I'd like to do is trying to deploy Scipio behind NGINX, let NGINX offloading SSL requests, and then forward to Scipio as plain HTTP requests.

After I do a simple grep, I found that there are about 3400 security https="true" lines in the whole codebase, it seems impossible to change all of them, so is there a way to turn on HTTP globally?

BTW, regarding to security issues with session ids in URL, I recently have a short discussion with OFBiz upstream [1]. I think that using HTTPS can not fully solve that problem, as that info will still exists in browser history, and in access log of servers and proxies.

[1] https://issues.apache.org/jira/browse/OFBIZ-12252

[pplx]

We have some load-balancing documentation here: https://www.scipioerp.com/community/developer/installation-configuration/clustering/webserver-configuration/

In that case you wanted to leave port.https.enabled=Y anyway because it regards url generation rather than behavior of the webapp container (catalina/scipio-component.xml).

[dram]

Thanks!

I'll have a try with the documentation.

Regarding to url generation, there are two other ways to do that, take https://localhost:8443/admin/control/main for example:

1. using a relative url: /admin/control/main
2. omit protocol: //localhost:8443/admin/control/main

Although the second one is not recommended now [1], I'm curious that why can't we use the first one?

[1] https://stackoverflow.com/a/15146073

[pplx]

Both of those forms can be used in Scipio and the first is the default generated in most cases. /admin/control/main is what is generated by the standard link-buiding utilities like the @pageUrl (previously known as @ofbizUrl) freemarker macro and the request handler.

The full domain and port usually get added when making inter-webapp and inter-server links if it's expected that it may differ.

For redirects, normally the full url with protocol is produced.

The link you posted is about externalLoginKey which is not the same issue as the jsessionid and is managed separately from other url and security settings.

[dram]

It looks a bit complicated, thank you for your patient explanation!