GeoNetwork MetaData Portal Redirects To HTTP Port 80

[mgiannoni]

Full HTTPs port 443 implementation still redirects to HTTP port 80

Apache Frontend Configured For HTTPs

Implemented Apache frontend using IG-OpenWIS-3.16 Installation Guide

Security Service Circle of Trust configured for HTTPs

Servers & Sites Settings

Portal Federation Services Configured For HTTPs

Portal SAML2 Fedlet

> <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="AdminPortal">
> <SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://giscdev-washington.mdl.nws.noaa.gov/openwis-admin-portal/fedletSloRedirect" ResponseLocation="https://giscdev-washington.mdl.nws.noaa.gov/openwis-admin-portal/fedletSloRedirect"/>
> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://giscdev-washington.mdl.nws.noaa.gov/openwis-admin-portal/fedletSloPOST" ResponseLocation="https://giscdev-washington.mdl.nws.noaa.gov/openwis-admin-portal/fedletSloPOST"/>
> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://giscdev-washington.mdl.nws.noaa.gov/openwis-admin-portal/fedletSloSoap"/>
> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
> <AssertionConsumerService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://giscdev-washington.mdl.nws.noaa.gov/openwis-admin-portal/openWisAuthorization"/>
> <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://giscdev-washington.mdl.nws.noaa.gov/openwis-admin-portal/openWisAuthorization"/>
> </SPSSODescriptor>
> <RoleDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query" xsi:type="query:AttributeQueryDescriptorType" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"/>
> <XACMLAuthzDecisionQueryDescriptor WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"/>
> </EntityDescriptor>

OpenAM IDP Services

OpenAM SP openwis-admin-portal Services

Apache Frontend Logging Still Showing HTTP port 89

137.75.80.24 - - [08/Feb/2023:15:35:47 +0000] "GET /openam/UI/Login?realm=/&spEntityID=AdminPortal&goto=http%3A%2F%2Fgiscdev-washington.mdl.nws.noaa.gov%2Fopenam%2FSSORedirect%2FmetaAlias%2Fidp%3FReqID%3Ds2f032a37358dab87eab3d7c111dbccc33182c8bcf%26index%3Dnull%26acsURL%3Dhttps%253A%252F%252Fgiscdev-washington.mdl.nws.noaa.gov%252Fopenwis-admin-portal%252FopenWisAuthorization%26spEntityID%3DAdminPortal%26binding%3Durn%253Aoasis%253Anames%253Atc%253ASAML%253A2.0%253Abindings%253AHTTP-POST HTTP/1.1" 301 700
137.75.80.24 - - [08/Feb/2023:15:36:02 +0000] "GET /openam/SSORedirect/metaAlias/idp?ReqID=s2f032a37358dab87eab3d7c111dbccc33182c8bcf&index=null&acsURL=https%3A%2F%2Fgiscdev-washington.mdl.nws.noaa.gov%2Fopenwis-admin-portal%2FopenWisAuthorization&spEntityID=AdminPortal&binding=urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Abindings%3AHTTP-POST HTTP/1.1" 301 555
137.75.80.24 - - [08/Feb/2023:15:36:02 +0000] "GET /openam/SSORedirect/metaAlias/idp?resInfoID=s2e8ec265a28905cbe182264b074d5b8cbc0c94e01 HTTP/1.1" 301 337
137.75.80.24 - - [08/Feb/2023:15:36:02 +0000] "GET /openwis-admin-portal/openWisGetToken HTTP/1.1" 301 288
137.75.80.24 - - [08/Feb/2023:15:36:53 +0000] "-" 408 -
137.75.80.24 - - [08/Feb/2023:15:37:09 +0000] "GET /openam/UI/Login?realm=/&spEntityID=AdminPortal&goto=http%3A%2F%2Fgiscdev-washington.mdl.nws.noaa.gov%2Fopenam%2FSSORedirect%2FmetaAlias%2Fidp%3FReqID%3Ds20608142ccc90ec13c61a7799646bd2462a41dfdb%26index%3Dnull%26acsURL%3Dhttps%253A%252F%252Fgiscdev-washington.mdl.nws.noaa.gov%252Fopenwis-admin-portal%252FopenWisAuthorization%26spEntityID%3DAdminPortal%26binding%3Durn%253Aoasis%253Anames%253Atc%253ASAML%253A2.0%253Abindings%253AHTTP-POST HTTP/1.1" 301 700
137.75.80.24 - - [08/Feb/2023:15:37:22 +0000] "GET /openam/SSORedirect/metaAlias/idp?ReqID=s20608142ccc90ec13c61a7799646bd2462a41dfdb&index=null&acsURL=https%3A%2F%2Fgiscdev-washington.mdl.nws.noaa.gov%2Fopenwis-admin-portal%2FopenWisAuthorization&spEntityID=AdminPortal&binding=urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Abindings%3AHTTP-POST HTTP/1.1" 301 555
137.75.80.24 - - [08/Feb/2023:15:37:22 +0000] "GET /openam/SSORedirect/metaAlias/idp?resInfoID=s2731806b0b3a7797cb34de4bfdd5e4921e8fb2f01 HTTP/1.1" 301 337
137.75.80.24 - - [08/Feb/2023:15:37:23 +0000] "GET /openwis-admin-portal/openWisGetToken HTTP/1.1" 301 288
137.75.80.24 - - [08/Feb/2023:15:38:13 +0000] "-" 408 -

Source Code Bread-Crumbs

This function constructs a URL without any consideration of the HTTP/HTTPs protocol.

./openwis-metadataportal/openwis-portal/src/main/java/org/fao/geonet/kernel/DataManager.java

//---------------------------------------------------------------------------
public String getSiteURL() {
String host = settingMan.getValue("system/server/host");
String port = settingMan.getValue("system/server/port");
String locServ = baseURL + "/" + Jeeves.Prefix.SERVICE + "/en";
return "http://" + host + (port.equals("80") ? "" : ":" + port) + locServ;
}
//--------------------------------------------------------------------------

This appears to be used in several locations:

find . -name *.java -exec grep -i getSiteURL {} ; -print | egrep 'java$'
./openwis-metadataportal/openwis-portal/src/main/java/org/fao/geonet/guiservices/util/GetSiteURL.java
./openwis-metadataportal/openwis-portal/src/main/java/org/fao/geonet/kernel/DataManager.java
./openwis-metadataportal/openwis-portal/src/main/java/org/fao/geonet/kernel/harvest/harvester/fragment/FragmentHarvester.java
./openwis-metadataportal/openwis-portal/src/main/java/org/fao/geonet/kernel/harvest/harvester/metadatafragments/Harvester.java
./openwis-metadataportal/openwis-portal/src/main/java/org/fao/geonet/kernel/harvest/harvester/thredds/Harvester.java
./openwis-metadataportal/openwis-portal/src/main/java/org/fao/geonet/kernel/oaipmh/Lib.java
./openwis-metadataportal/openwis-portal/src/main/java/org/fao/geonet/kernel/oaipmh/OaiPmhDispatcher.java
./openwis-metadataportal/openwis-portal/src/main/java/org/fao/geonet/kernel/oaipmh/services/Identify.java
./openwis-metadataportal/openwis-portal/src/main/java/org/fao/geonet/kernel/setting/SettingInfo.java
./openwis-metadataportal/openwis-portal/src/main/java/org/fao/geonet/services/metadata/PrepareFileDownload.java
./openwis-metadataportal/openwis-portal/src/main/java/org/fao/geonet/services/register/SelfRegister.java
./openwis-metadataportal/openwis-portal/src/main/java/org/openwis/metadataportal/kernel/metadata/MetadataManager.java
./openwis-metadataportal/openwis-portal/src/main/java/org/openwis/metadataportal/services/register/SelfRegister.java

[yvesgoupil]

Marc,
I had a simlilar issue, Yannick Lizzi told me to add in /etc/httpd/conf/httpd.conf

# HTTP Strict Transport Security (mod_headers is required) (63072000 seconds) Header always set Strict-Transport-Security "max-age=63072000"

Could you test it?
Yves.

[mgiannoni]

Yves:
This appears to fix the problem using browser side support for enforcing HTTPs transport security.
However the issue in the code remains where HTTP 302 redirects set the "Location" header to plain old "http://:80"

[mgiannoni]

Yves: Yes this fixes the problem. The GeoNetwork code still does the wrong thing when forming the HTTP 302 redirect by setting the "Location:" header to plain "http://" port:80 Thanks! Marc Giannoni Unix System Engineer, Guidehouse Phone: 301.427.9478 Cell: 301.915.5266

…

On Thu, Feb 9, 2023 at 10:38 AM yvesgoupil ***@***.***> wrote: Marc, I had a simlilar issue, Yannick Lizzi told me to had in /etc/httpd/conf/httpd.conf # HTTP Strict Transport Security (mod_headers is required) (63072000 seconds) Header always set Strict-Transport-Security "max-age=63072000" Could you test it? Yves. — Reply to this email directly, view it on GitHub <#416 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ADYWE7SMH5SOK2B6KQWATKLWWUFN5ANCNFSM6AAAAAAUVN4U5A> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[yvesgoupil]

Marc:
Perfect, this issue could be close. I set the labels to "Close me".

Yves.