[Identity-dev] [jira] Updated: (IDENTITY-208) wso2 IS OP problem. Firefox giving redirect security warnings.

Wed, 18 Feb 2009 23:51:15 -0800 

     [ 
https://wso2.org/jira/browse/IDENTITY-208?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Harm Verhagen updated IDENTITY-208:
-----------------------------------

    Attachment: is.patch

Attached is a patch for this problem.
tested with firefox3. security warnings are gone.

ref: http://wso2.org/mailarchive/identity-user/2009-February/000047.html

> wso2 IS OP problem. Firefox giving redirect security warnings.
> --------------------------------------------------------------
>
>                 Key: IDENTITY-208
>                 URL: https://wso2.org/jira/browse/IDENTITY-208
>             Project: WSO2 Identity Solution
>          Issue Type: Bug
>          Components: identity-provider
>    Affects Versions: Current (Nightly)
>         Environment: debian linux, sun JVM 1.5
>            Reporter: Harm Verhagen
>         Attachments: is.patch
>
>
> Hi,
> I think found a problem in the IS OP whenever the RP callback page is on http 
> (instead on https).
> steps to reproduce
> ==============
> 1)  User firefox as useragent  (IE does _not_ give this problem).
> 2)  use wso2 IS as OP
> 3) Use an RP  that has a http return address. (not https)
>         I used
> 4)  enter openid in RP  http://host:12080/user/Bob
> 5)  redirected to wso2 IS.
> 6)  enter pasword
> 7) redirected to  https://host :12443/OpenIDRedirect.action
> result
> ====
> Firefox gives a popup with the following text;
> "Although this page is encrypted, the information you have entered is to be 
> sent over an unencrypted connection and could easily be read by a third party.
> Are you sure you want to continue sending this information?"
> This popup cannot be disabled, a user _always_ get this.
> Suspected problem area.
> ====================
>       The OpenIDRedirect.action   does a redirect using a form post. It 
> itself resides on a https address, and the redirect might be to a http (no 
> https) address.
> Firefox  ALWAYS warns whenever you do this.  On that page a user is filling 
> data into a form on a https page, but it gets send to a non http site.
> I suspect the correct fix is that wso2IS  should serve the 
> OpenIDRedirect.action on a http address, NOT https.
> So http://host :12080/OpenIDRedirect.action    instead of https://host 
> :12443/OpenIDRedirect.action
> So ./identity/modules/user-ui/src/main/webapp/jsp/redirect.jsp
> response.sendRedirect("OpenIDRedirect.action");      <----- should redirect 
> to the http port here (12080).

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
https://wso2.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

_______________________________________________
Identity-dev mailing list
[email protected]
https://wso2.org/cgi-bin/mailman/listinfo/identity-dev

Reply via email to