Spring security's HTTPS issue with load balance

[zhangxin]

Hi there,

I have one load balance + 2 web servers(appche)+2 app servers(tomcat)
and install SSL cert on the load balance.
using spring security version 2.0.4.

http access is working fine. but when I try to use https//ab.com/login.jsp and login successfully, the target page changed back http.(e.g. http//ab.com/index.jsp)


if I change the configuration for target index.jsp in the http tag as blow will encounter another error [Error 310 (net::ERR_TOO_MANY_REDIRECTS): There were too many redirects.]
<intercept-url pattern="/indux.jsp" access="ROLE_ANONYMOUS" requires-channel="https"/>
it looks like because of http connection between web server and app server, so spring security try to redirect to https.

don't know how to solve this issue.
Any advise/ideas. thanks in advance.

Regards
ZX

[zhangxin]

looks only affect spring security login/logout functions. the rest of functions are work fine.
it looks again absolute path and relevant path issue as it be solved when I change default target index.jsp to https://ab.com/index.jsp in spring security configuration file.
but it is not good solution as it fix url. I through AJP can solved it kindly of issue. but this time looks it does not work with spring security.

any ideas....?

thx

[zhangxin]

Don't know why only affect spring security login/logout.

[zhangxin]

I found it caused by RedirectUtil invoke response.sendRedirect(response.encodeRedirectURL(f inalUrl));

As Known, the back-end app server does not aware the client use https as internal is plain http between web and app. Most of my applications are use struts forward other than redirect. that why not impacts on them.

Now, I want to know spring security whether has solution on this scenario??

[Rob Winch]

Spring security is using http when it does the redirect because HttpServletRequest.getScheme() is http. The reason you are not having the issue with other redirects is likely because the redirect is not absolute. Spring Security follows the RFC and only specifies location header values of absolute URLs (i.e. absolute redirects) which are based upon the HttpServletRequest. One option is to configure all your DefaultRedirectStrategy's to be contextRelative (you could do this with a BeanPostProcessor as described in the FAQ). Another, to me more attractive option, is to configure Tomcat to be aware it is behind a proxy. You will want to refer to the Tomcat documentation to learn how to do this.

HTH,

[zhangxin]

Hi Rwinch,

Thanks very much for your kindly help.

For your option2, do I need to configure httpd (which one more layer between app and load balancer) as well. Any documentation can refer?

For option 1, whehter version 2.04 also support change DefaultRedirectStrategy?

Lastly, would I know what is different between relative and absolute redirection? what is con and pron?

[Rob Winch]

For your option2, do I need to configure httpd (which one more layer between app and load balancer) as well. Any documentation can refer?

I would refer you to tomcat's documentation on how to do this. If you are having problems, the tomcat forums are likely the best option. I realize this response may appear to be rude, but in all honesty I am a novice at configuring tomcat for prod environments (I understand the basics and at a high level what needs to be done). Therefore, I am guiding you to the tomcat experts so that you get the correct setup. I would encourage you to respond back to this thread and post your setup so that others can use this information too (it would be a great way to give back to the community).

For option 1, whehter version 2.04 also support change DefaultRedirectStrategy?

Sorry I did not notice that you were using 2.x. This option does not work for 2.x. The only way I can think of making this an option is by overriding the HttpServletResponse.sendRedirect method to remove the scheme, host, and port by using an HttpServletResponseWrapper.

Lastly, would I know what is different between relative and absolute redirection? what is con and pron?

The difference is that the RFC states you should use absolute URLs. For all practical purposes most browsers will support relative redirects, but technically absolute URLs are correct and are what is guaranteed to work.

[maeve08]

hi zhangxin, in order for this https redirection to work, you have to configure your application server. the spring security would expect an http if you pass an http request and expects https if you pass through https. SSL configuration should be done in the application server and not in spring security configuration. perhaps this might help you in configuring your tomcat server.. http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html

[zhangxin]

Hi Rob,

Thank for your response. Definetely I will post my solutions once I done.
Right now I may have three ways to solve it
1. change to absolute redirection in spring security xml. [can be done and test]
2. change the setting on the load balancer which force every http request to https. [have not test yet]
3. change the setting on the web server(httpd). may need to rewrite some header information [looking into this]

Hi Maeve08, thank for your suggestion. but installed cert on the APP servers will need more mantenace cost and more operations needed. So we decide install cert on the load balancer instead as it is single entry poin and more easy extend app/web server when traffic load keep increasing.

Regards
ZX

[Rob Winch]

One other option would be to create a Filter and use an HttpServletRequestWrapper to override the fields on HttpServletRequest. To me this seems less appealing since you need to write custom code. Additionally, you likely need to do some sort of rewriting (i.e. insert/remove a custom header to indicate if it is https) anyways since you would need some way to indicate if it was http or https.