Disabling use of https on OfBiz servers

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Disabling use of https on OfBiz servers

William Angus
Hi,

I am currently trying to disable the use of https on the webtools/admin
side of ofbiz so that we can use access control to pass users to the
appropriate location within our network.

Our system will consist of SSL terminated behind our router/firewall on
the proxy server prior to the proxy forwarding to the ofbiz application
servers. https will be used until the traffic hits the proxy where it is
decrypted using stunnel or similar. Once decrypted we will use the
http-based ACLs to pass the traffic to the appropriate login instance.

Problem is, I seem to be unable to force the use of http only within our
test environment.

Currently the test environment we have been looking at this with is
trunk-2009-07-21-v796194 using embedded Tomcat but we would be looking
to running a full Tomcat install on a production system.

To date I have tried changing the settings of url.properties to
port.https.enabled=N
and
force.http.host=Y

also have looked at server.xml in the tomcat6 section and just for a
test changed all 8443 to 8080 however when the following url was tried
http://server-name:8080/webtools/login
it changed back to https://.......:8443/....

I was wondering if there was anything that I have missed or if there is
a specific file/entry that holds the configuration settings for
webtools/login.

I haven't had much experience of configuring Tomcat or OfBiz (past
database setup and initial install) as until recently my focus has been
elsewhere.

Regards
William Angus
--
William Angus - Systems Analyst
Virtual Xpert Pty Ltd
Suite 207, 35 Buckingham Street
Surry Hills
NSW 2010
Australia

Ph: +61 2 9007 1480
Fax: +61 2 8905 9438
Mob: +61 424 298 449
email: [hidden email]

www.virtualxpert.com.au
Reply | Threaded
Open this post in threaded view
|

Re: Disabling use of https on OfBiz servers

Anne Jessel
Hi William

The only way I know of is to edit the relevant controller.xml file(s), looking for

<security https="true".../>

and changing that "true" to "false".

Someone else may know a better way.

Cheers,
Anne.

2009/8/6 William Angus <[hidden email]>
Hi,

I am currently trying to disable the use of https on the webtools/admin side of ofbiz so that we can use access control to pass users to the appropriate location within our network.

Our system will consist of SSL terminated behind our router/firewall on the proxy server prior to the proxy forwarding to the ofbiz application servers. https will be used until the traffic hits the proxy where it is decrypted using stunnel or similar. Once decrypted we will use the http-based ACLs to pass the traffic to the appropriate login instance.

Problem is, I seem to be unable to force the use of http only within our test environment.

Currently the test environment we have been looking at this with is trunk-2009-07-21-v796194 using embedded Tomcat but we would be looking to running a full Tomcat install on a production system.

To date I have tried changing the settings of url.properties to port.https.enabled=N
and
force.http.host=Y

also have looked at server.xml in the tomcat6 section and just for a test changed all 8443 to 8080 however when the following url was tried
http://server-name:8080/webtools/login
it changed back to https://.......:8443/....

I was wondering if there was anything that I have missed or if there is a specific file/entry that holds the configuration settings for webtools/login.

I haven't had much experience of configuring Tomcat or OfBiz (past database setup and initial install) as until recently my focus has been elsewhere.

Regards
William Angus
--
William Angus - Systems Analyst
Virtual Xpert Pty Ltd
Suite 207, 35 Buckingham Street
Surry Hills
NSW 2010
Australia

Ph: +61 2 9007 1480
Fax: +61 2 8905 9438
Mob: +61 424 298 449
email: [hidden email]

www.virtualxpert.com.au



--
Coherent Software Australia Pty Ltd
PO Box 2773
Cheltenham Vic 3192
Phone: (03) 9585 6788
Fax: (03) 9585 1086
Web: http://www.cohsoft.com.au/
Email: [hidden email]

Bonsai ERP, the all-inclusive ERP system
http://www.bonsaierp.com.au/


signature.asc (278 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Disabling use of https on OfBiz servers

Scott Gray-2
I think that'll come down to the only option unless you want to change  
the RequestHandler class, even if you can prevent the redirect by  
configuration any POST data meant for a secure url will be rejected if  
sent via http.

Regards
Scott

HotWax Media
http://www.hotwaxmedia.com

On 6/08/2009, at 3:03 PM, [hidden email] wrote:

> Hi William
>
> The only way I know of is to edit the relevant controller.xml  
> file(s), looking for
>
> <security https="true".../>
>
> and changing that "true" to "false".
>
> Someone else may know a better way.
>
> Cheers,
> Anne.
>
> 2009/8/6 William Angus <[hidden email]>
> Hi,
>
> I am currently trying to disable the use of https on the webtools/
> admin side of ofbiz so that we can use access control to pass users  
> to the appropriate location within our network.
>
> Our system will consist of SSL terminated behind our router/firewall  
> on the proxy server prior to the proxy forwarding to the ofbiz  
> application servers. https will be used until the traffic hits the  
> proxy where it is decrypted using stunnel or similar. Once decrypted  
> we will use the http-based ACLs to pass the traffic to the  
> appropriate login instance.
>
> Problem is, I seem to be unable to force the use of http only within  
> our test environment.
>
> Currently the test environment we have been looking at this with is  
> trunk-2009-07-21-v796194 using embedded Tomcat but we would be  
> looking to running a full Tomcat install on a production system.
>
> To date I have tried changing the settings of url.properties to  
> port.https.enabled=N
> and
> force.http.host=Y
>
> also have looked at server.xml in the tomcat6 section and just for a  
> test changed all 8443 to 8080 however when the following url was tried
> http://server-name:8080/webtools/login
> it changed back to https://.......:8443/....
>
> I was wondering if there was anything that I have missed or if there  
> is a specific file/entry that holds the configuration settings for  
> webtools/login.
>
> I haven't had much experience of configuring Tomcat or OfBiz (past  
> database setup and initial install) as until recently my focus has  
> been elsewhere.
>
> Regards
> William Angus
> --
> William Angus - Systems Analyst
> Virtual Xpert Pty Ltd
> Suite 207, 35 Buckingham Street
> Surry Hills
> NSW 2010
> Australia
>
> Ph: +61 2 9007 1480
> Fax: +61 2 8905 9438
> Mob: +61 424 298 449
> email: [hidden email]
>
> www.virtualxpert.com.au
>
>
>
> --
> Coherent Software Australia Pty Ltd
> PO Box 2773
> Cheltenham Vic 3192
> Phone: (03) 9585 6788
> Fax: (03) 9585 1086
> Web: http://www.cohsoft.com.au/
> Email: [hidden email]
>
> Bonsai ERP, the all-inclusive ERP system
> http://www.bonsaierp.com.au/
>


smime.p7s (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Disabling use of https on OfBiz servers

Mike Rose
In reply to this post by William Angus
Hi William,

    I recently had to do a similar task.  My solution was to proxy  
Tomcat with and Apache httpd instance via AJP/JK.  Within Apache you  
now have a fair number of flexible tools that allow you to modify URLs  
as they pass through.  mod_rewrite is especially helpful here to use  
to fake out Tomcat.

Mike


On Aug 5, 2009, at 10:33 PM, William Angus wrote:

> Hi,
>
> I am currently trying to disable the use of https on the webtools/
> admin side of ofbiz so that we can use access control to pass users  
> to the appropriate location within our network.
>
> Our system will consist of SSL terminated behind our router/firewall  
> on the proxy server prior to the proxy forwarding to the ofbiz  
> application servers. https will be used until the traffic hits the  
> proxy where it is decrypted using stunnel or similar. Once decrypted  
> we will use the http-based ACLs to pass the traffic to the  
> appropriate login instance.
>
> Problem is, I seem to be unable to force the use of http only within  
> our test environment.
>
> Currently the test environment we have been looking at this with is  
> trunk-2009-07-21-v796194 using embedded Tomcat but we would be  
> looking to running a full Tomcat install on a production system.
>
> To date I have tried changing the settings of url.properties to  
> port.https.enabled=N
> and
> force.http.host=Y
>
> also have looked at server.xml in the tomcat6 section and just for a  
> test changed all 8443 to 8080 however when the following url was tried
> http://server-name:8080/webtools/login
> it changed back to https://.......:8443/....
>
> I was wondering if there was anything that I have missed or if there  
> is a specific file/entry that holds the configuration settings for  
> webtools/login.
>
> I haven't had much experience of configuring Tomcat or OfBiz (past  
> database setup and initial install) as until recently my focus has  
> been elsewhere.
>
> Regards
> William Angus
> --
> William Angus - Systems Analyst
> Virtual Xpert Pty Ltd
> Suite 207, 35 Buckingham Street
> Surry Hills
> NSW 2010
> Australia
>
> Ph: +61 2 9007 1480
> Fax: +61 2 8905 9438
> Mob: +61 424 298 449
> email: [hidden email]
>
> www.virtualxpert.com.au