offloading https to load balancers

[mueller]

Right now, the load balancers handle https and then pass along that https to my web servers. So dealing with https double for each request. What I want to do is completely offload https so my web servers don't have to deal with it. I think this is pretty common.

How do I configure Spring Security and JSP pages given that the web servers think all requests are http? Obviously I'll have to modify the <intercept-url> elements of my configuration to have their requires-channel attribute always be http or any. In my JSP pages I'll have to prepend the <c:url value=''/> links with a ${secureUrl} and ${nonSecureUrl} depending whether the resulting page needs to be https or http. Redirects from controllers need to be modified as well... Anything else?

Seems like quite a pain to modify all links in JSP pages to include the scheme and host too. Is there a better way to do that?

[Rob Winch]

This is a question of how to properly setup your container behind a proxy and should probably be directed to it's forums. If you search for proxy and Spring Security there are a few threads (i.e. this thread is pretty good) that demonstrate how to do this with a few containers. However, since this is a Spring Security forum we are generally not experts with setting up J2EE containers. If you have another container that you are trying to figure out and find out how to set it up with a proxy I would encourage you to post back in order to give back to the community.