Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

https redirection is partially broken

Description

Despite setting properties opennms.web.base-url=https://%x%c/ which should force redirect HTTP request to HTTPS, there are certain paths that fail to do that. doesn’t seem to have fixed it completely. This problem is reproducible with certain condition.

  • browser is Chrome/Edge.

  • OpenNMS is Horizon 31.0.6 and up or latest Meridian.

  • OpenNMS is located behind a reverse proxy and protocol used is HTTPS.

For example, navigating to path https://opennms_host/opennms/admin/notification/noticeWizard/eventNotices.htm then choose Edit. Nothing happens instead of redirecting you to the edit page. Further investigation shows that the HTTP response schema/protocol returned by opennms is http rather than https.

Furthermore, coupled with the newly added CSP header form-action 'self' appears to contribute to this. Error shown as below. Pressing “Edit” violates the security policy.

 

My theory is that the purpose of that CSP header is restricting URL redirection back to itself only. Upon pressing “Edit” a POST method for the HTTP request is created and opennms responds with schema/protocol http which is not the same as the origin https URL hence the security policy violation. This, however, is not affected when browsing on Firefox. It looks like Firefox permits that kind of HTTP interaction.

Other paths where this issue is observed are

  • opennms/event/advsearch.jsp

  • /opennms/alarm/advsearch.jsp

  • opennms/admin/notification/destinationPaths.jsp

Environment

Browser: Chrome, Edge OpenNMS: Horizon 31.0.6 and up. Latest Meridian OpenNMS is located behind a reverse proxy

Acceptance / Success Criteria

None

Attachments

2

Activity

Show:

Christian Pape June 26, 2023 at 8:51 AM

Merged.

Christian Pape June 21, 2023 at 12:09 PM

The problem occurs on page where we use relative redirects. In the Response class these redirects are converted to absolute URLs including the scheme and since this class does not know that the current location is HTTPS it is converted to the HTTP URL. Firefox and some other browsers allow the call because it is immediatly redirected to the correspondig HTTPS page. Chrome seems more picky and does not allow to query the HTTP page. The fix is to allow relative redirects in our jetty configuration. In this case relative URLs will not be converted to absolute ones, so the scheme is not affected and stays the same.

Please review:
* PR:

Mark Mahacek June 7, 2023 at 5:47 PM

Note that this issue is reported to only be present in Edge/Chrome browsers. Safari and Firefox seem unaffected.

Fixed

Details

Assignee

Reporter

Labels

HB Grooming Date

HB Backlog Status

Sprint

Fix versions

Affects versions

Priority

PagerDuty

Created June 6, 2023 at 5:22 PM
Updated August 1, 2024 at 4:34 PM
Resolved June 26, 2023 at 8:51 AM