| Category: | Bug report |
Priority: | High |
Status: | New |
| Project: | Severity: | Major |
Resolution: | Open |
|
| Component: | Reproducibility: | Always |
Assigned to: |
Setup of environment:
* In Azure with Azure application gateway - SSL is terminated at the gateway
* Application is using visualize.js
* visualize is downloaded via https request on browser
** https://<domain>/jasperserver-pro/client/visualize.js?1601645389
* all the needed components are downoaded successfully via https, eg
** https://<domain>/jasperserver-pro/runtime/AC91FCAB/optimized-scripts/runtime_dependencies/bi-report/src/bi/report/schema/ReportSearch.json
* auth request is made and returns 200
** https://<domain>/jasperserver-pro/rest_v2/settings/auth
* the next request captured by the browser causes a redirect to HTTP
** request - https://<domain>/jasperserver-pro/?pp=gd+HOSrq/DNYTutyiZzI3wCPyN8jNM/+UmD7JDJQ+5968b6eVpxpdtHpruU5d1Qlo793ayZiGXVf4apUI3Tp7ZIGLQwam78cfk+xw4x6aEs=
** Location response header - http://<domain>/jasperserver-pro/scripts/visualize/auth/loginSuccess.json
* redirect is blocked by the browser as insecure - mixed content
** Mixed Content: The page at 'https://<domain>/ams-web/Kernel/w_main.jsp?AA_SID=5fc22511-10ef-4a42-b6f1-855f48b28447' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://<domain>/jasperserver-pro/scripts/visualize/auth/loginSuccess.json'. This request has been blocked; the content must be served over HTTPS.
The jasperserver code appears to be issuing a redirect using explicit protocol
The jaspersoft Tomcat server does not know the actual domain - it's running as a kubernetes service behind the Azure Application Gateway
See also https://community.jaspersoft.com/questions/1199196/how-prevent-auth-redi...
| Attachment | Size |
|---|---|
 mixed_content_error.png | 28.27 KB |
1 Comment: