You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@fineract.apache.org by "Petri Tuomola (Jira)" <ji...@apache.org> on 2021/11/24 13:29:00 UTC
[jira] [Resolved] (FINERACT-1423) http (i.e. non-SSL) only responds with GET to any requests (POST / PUT / DELETE)
[ https://issues.apache.org/jira/browse/FINERACT-1423?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Petri Tuomola resolved FINERACT-1423.
-------------------------------------
Resolution: Won't Fix
I think this works as expected. If you go for a http request, it forwards you to https. However forward is only a HTTP GET, so therefore whatever method you called, it gets translated to GET.
The only options we would have is:
* Disable HTTP altogether (i.e. don't even do a forward)
* Allow HTTP for all verbs
But I don't think either of those would be much better than what we have today.
> http (i.e. non-SSL) only responds with GET to any requests (POST / PUT / DELETE)
> --------------------------------------------------------------------------------
>
> Key: FINERACT-1423
> URL: https://issues.apache.org/jira/browse/FINERACT-1423
> Project: Apache Fineract
> Issue Type: Bug
> Affects Versions: 1.5.0
> Reporter: Petri Tuomola
> Assignee: Petri Tuomola
> Priority: Major
>
> If you access any API using method POST / PUT / DELETE but with http (not HTTPS), Fineract responds as if you had done a GET.
> So PUT /fineract-provider/api/v1/offices/2 is actually actioned as GET /fineract-provider/api/v1/offices/2 when done with http
> If you change to https, everything works well.
> This means that HTTP endpoint is pretty much dead for all practical purposes. To avoid confusion, my suggestion would be that we disable this and just reject any call to HTTP, rather than responding with the incorrect response. HTTP is anyway insecure and should not be used.
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)