OWS makes https request instead of http (JVM Download Server list and jnlp file)

The public knowledge pool and discussion forum of the OWS community. Do not post confidential information here!
ptai
Posts: 13
Joined: 13 Aug 2020, 14:50

OWS makes https request instead of http (JVM Download Server list and jnlp file)

Post by ptai »

The JVM download server is in our case a local server which is reachable over http. When OWS requests the jvms.json file, it does an https request. As the server has no certificate, a "Security Warning" dialog that the HTTPS Certificate cannot be verified is shown.

The same is true when requesting a .jnlp file.

Is there a way to force OWS to use the scheme provided in the URL?

Janak Mulani
Posts: 725
Joined: 24 Mar 2020, 13:37

Re: OWS makes https request instead of http (JVM Download Server list and jnlp file)

Post by Janak Mulani »

I presume you are using OWS v 1.1.8.

I have a local JVM Server http://localhost:8081/jvms/jvms2.json which I have specified in itw-settings > JVM Manager > Settings > Default update server URL

The jvms2.json is as follows:

Code: Select all

{
    "cacheTimeInMillis":5000,
    "runtimes":[
      {
          "version":"1.8.0_252",
                    "vendor":"Zulu Community Edition",
                    "os":"WIN64",
                    "href":"http://localhost:8081/jvms/azul_1.8.0_252.zip"
      }
    ]
}
Both the JVM server URL and URL for the JVM use HTTP and it woks for me => OWS takes the JVM Server URL from Settings and the JVM URL from the json file.

Stephan Classen
Posts: 232
Joined: 27 Mar 2020, 09:55

Re: OWS makes https request instead of http (JVM Download Server list and jnlp file)

Post by Stephan Classen »

Also in the settings under the tab "Security"
There is an option "Do not favor https requests". If you select this OWS will not use https instead of http.
But be advised that http is not save against a man in the middle attack and we strongly discourage the usage of http because any software which is downloaded has the potential to execute arbitrary code on your machine.

ptai
Posts: 13
Joined: 13 Aug 2020, 14:50

Re: OWS makes https request instead of http (JVM Download Server list and jnlp file)

Post by ptai »

Thank you for the hint to this setting and its security implications. We have a deployment where the application is locally deployed by OWS in a secured local network. A man in the middle attack is still possible, but the attacker would have to have access to the secured network.

I tested the setting and it works as advertised!

Post Reply