The JVM download server is in our case a local server which is reachable over http. When OWS requests the jvms.json file, it does an https request. As the server has no certificate, a "Security Warning" dialog that the HTTPS Certificate cannot be verified is shown.
The same is true when requesting a .jnlp file.
Is there a way to force OWS to use the scheme provided in the URL?
OWS makes https request instead of http (JVM Download Server list and jnlp file)
-
- Posts: 773
- Joined: 24 Mar 2020, 13:37
Re: OWS makes https request instead of http (JVM Download Server list and jnlp file)
I presume you are using OWS v 1.1.8.
I have a local JVM Server http://localhost:8081/jvms/jvms2.json which I have specified in itw-settings > JVM Manager > Settings > Default update server URL
The jvms2.json is as follows:
Both the JVM server URL and URL for the JVM use HTTP and it woks for me => OWS takes the JVM Server URL from Settings and the JVM URL from the json file.
I have a local JVM Server http://localhost:8081/jvms/jvms2.json which I have specified in itw-settings > JVM Manager > Settings > Default update server URL
The jvms2.json is as follows:
Code: Select all
{
"cacheTimeInMillis":5000,
"runtimes":[
{
"version":"1.8.0_252",
"vendor":"Zulu Community Edition",
"os":"WIN64",
"href":"http://localhost:8081/jvms/azul_1.8.0_252.zip"
}
]
}
-
- Posts: 232
- Joined: 27 Mar 2020, 09:55
Re: OWS makes https request instead of http (JVM Download Server list and jnlp file)
Also in the settings under the tab "Security"
There is an option "Do not favor https requests". If you select this OWS will not use https instead of http.
But be advised that http is not save against a man in the middle attack and we strongly discourage the usage of http because any software which is downloaded has the potential to execute arbitrary code on your machine.
There is an option "Do not favor https requests". If you select this OWS will not use https instead of http.
But be advised that http is not save against a man in the middle attack and we strongly discourage the usage of http because any software which is downloaded has the potential to execute arbitrary code on your machine.
Re: OWS makes https request instead of http (JVM Download Server list and jnlp file)
Thank you for the hint to this setting and its security implications. We have a deployment where the application is locally deployed by OWS in a secured local network. A man in the middle attack is still possible, but the attacker would have to have access to the secured network.
I tested the setting and it works as advertised!
I tested the setting and it works as advertised!