[Identity-dev] [jira] Created: (IDENTITY-208) wso2 IS OP problem. Firefox giving redirect security warnings.

Wed, 18 Feb 2009 23:49:27 -0800 

wso2 IS OP problem. Firefox giving redirect security warnings.
--------------------------------------------------------------

                 Key: IDENTITY-208
                 URL: https://wso2.org/jira/browse/IDENTITY-208
             Project: WSO2 Identity Solution
          Issue Type: Bug
          Components: identity-provider
    Affects Versions: Current (Nightly)
         Environment: debian linux, sun JVM 1.5
            Reporter: Harm Verhagen


Hi,

I think found a problem in the IS OP whenever the RP callback page is on http 
(instead on https).

steps to reproduce
==============
1)  User firefox as useragent  (IE does _not_ give this problem).
2)  use wso2 IS as OP
3) Use an RP  that has a http return address. (not https)
        I used
4)  enter openid in RP  http://host:12080/user/Bob
5)  redirected to wso2 IS.
6)  enter pasword
7) redirected to  https://host :12443/OpenIDRedirect.action

result
====
Firefox gives a popup with the following text;

"Although this page is encrypted, the information you have entered is to be 
sent over an unencrypted connection and could easily be read by a third party.

Are you sure you want to continue sending this information?"

This popup cannot be disabled, a user _always_ get this.


Suspected problem area.
====================
      The OpenIDRedirect.action   does a redirect using a form post. It itself 
resides on a https address, and the redirect might be to a http (no https) 
address.
Firefox  ALWAYS warns whenever you do this.  On that page a user is filling 
data into a form on a https page, but it gets send to a non http site.

I suspect the correct fix is that wso2IS  should serve the 
OpenIDRedirect.action on a http address, NOT https.
So http://host :12080/OpenIDRedirect.action    instead of https://host 
:12443/OpenIDRedirect.action
So ./identity/modules/user-ui/src/main/webapp/jsp/redirect.jsp
response.sendRedirect("OpenIDRedirect.action");      <----- should redirect to 
the http port here (12080).

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
https://wso2.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

_______________________________________________
Identity-dev mailing list
[email protected]
https://wso2.org/cgi-bin/mailman/listinfo/identity-dev

Reply via email to