Uploaded image for project: 'Pentaho BA Platform'
  1. Pentaho BA Platform
  2. BISERVER-14139

Pentaho 8 serving up mixed https/http content and therefore being blocked.

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Severity: Unknown
    • Resolution: Not a Bug
    • Affects Version/s: 8.0.0 GA
    • Fix Version/s: None
    • Component/s: Security
    • Labels:
      None
    • Story Points:
      0
    • Notice:
      When an issue is open, the "Fix Version/s" field conveys a target, not necessarily a commitment. When an issue is closed, the "Fix Version/s" field conveys the version that the issue was fixed in.

      Description

      I've just setup Pentaho 8.0 server using SSL on a load balancer.

      Pentaho runs on standard 8080 and the LB handles the SSL. server.properties has been updated with the correct https url.

      However; I've found that chrome (and presumably other apps) blocks the login page because of a Mixed content message:

      The page xx/pentaho/Login was loaded over HTTPS but requested an insecure XMLHttpRequest endpoint 'http://xx/pentaho/index.jsp'. This request has been blocked. The content must be served over HTTPS

      All fair enough. So; Why hasn't Pentaho done this?

      If you change the url back to https, it does actually login, and work fine.

      I found a few similar comments on the forums..

      I guess one workaround could be some sort of rewrite on the load balancer? But before I look at that, I just wanted to reach out and see if anyone else has seen this.

      I did notice in the code there are references to two different procedures, one called:

      getFullyQualifiedServerUrl()
      and one called
      getFullyQualifiedServerURL()

      I wonder if one of those is broken?

      Raising this as a Jira on direction from Luc Boudreau. If this really is a bug be nice to see it fixed in 8.2

      Login:1 Mixed Content: The page at 'https://something.com/pentaho/Login' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://something.com/pentaho/index.jsp'. This request has been blocked; the content must be served over HTTPS.

        Attachments

          Activity

            People

            • Assignee:
              lboudreau Luc Boudreau
              Reporter:
              camdk3 Dan Keeley (codek)
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: