Apr 13th, 2012, 09:03 AM
Spring Security, SSL and Heroku
For my app on Heroku, I'm trying to get all requests to pass on https. I've got most of the app on https by writing my own secure filter which I've added to my web.xml before the SpringSecurityFilterChain, which basically redirect to https.
However, I noticed that when I login the url was switching from https to http. I believe it happens for both j_spring_security_check and j_spring_security_logout.
Has anyone had any experience with this or can point me in the right direction?
Apr 15th, 2012, 09:20 AM
You should confirm that is your web server has been enabled for HTTPS. In tomcat, to enable https, server.xml should be configured to support HTTPS.
Apr 15th, 2012, 10:41 AM
Thanks for the reply, arai. Heroku offers a service called Piggyback SSL. The SSL is terminated at the load balancer level.
Apr 15th, 2012, 03:03 PM
After taking a screencast and seeing the url change in slow motion, I now see what is happening. So after login and logout Spring redirects to default-target-url and logout-success-url, which goes to http. I was then able to find someone else having the same issue here.
I am able to resolve the issue by putting the full https url in default-target-url and logout-success-url. However this seems like a bug to me.