Login does not redirect to https

Steps to reproduce

Steps to reproduce:
1. run opencast with only http
2. use a proxy with https (with server.url correctly configured to point to the proxy address)
3. log in

Actual Results:
POST /j_spring_security_check does a 302 redirect to http://server.url/admin-ng/index.html instead of https://server.url/admin-ng/index.html

This is especially a problem when logging in via ajax in the engage ui as engage thinks the authentication failed because the browser will not redirect to http because of mixed content violation. You are actually logged in despite the error, which manually reloading the page proves.

Expected Results:
the browser is redirected to https://server.url/admin-ng/index.html thus enabling you to log in.

Workaround (if any):
configure your proxy to rewrite the response headers for Location: from http to https

Activity

Show:
Greg Logan
June 10, 2019, 4:03 PM

This seems like something that should go into the docs.

Paul Pettit
September 1, 2017, 10:14 AM

Example rewrite rules for info:

  1. Nginx
    proxy_redirect http://$host https://$host;

  1. haproxy
    http-response replace-value Location http://(.*) https://\1

Assignee

Greg Logan

Reporter

Paul Pettit

Severity

Incorrectly Functioning With Workaround