May 30th, 2012, 03:28 AM
Do redirects over HTTPS when the web server is running over HTTP
This one is a bit thorny - we're running a Apache over HTTPS in front of our web servers, which run over HTTP. So the client interacts with Apache over HTTPS which than passes the request to a web server over HTTP.
Since the web server running the application is on HTTP, then when Spring Security does a redirect, that's done over HTTP - Apache will pass that back to the client as is - and the client will now do a request over HTTP.
This request will be blocked by the browser, since it's on a different protocol, because the Same Origin Policy is kicking in (it's an Ajax XHTTP request).
So, what I was hoping I could do is to configure Spring Security to do the redirects over HTTPS, even if it's actually running on HTTP - essentially overriding the protocol somehow - either manually (which I can probably do based on the referrer information) or, if possible, automatically. The goal to have redirects on HTTPS is that the client would get them and do them on HTTPS, as it should, so the Same Origin Policy won't block the request.
So, my question is if this is possible somehow, or if there is a better solution to approach this (other than running the web server over HTTPS, or using Apache itself to change the protocol in the redirect - which are external solutions).
Any help is appreciated - this is a tricky one.
Last edited by eugenparaschiv; May 30th, 2012 at 03:32 AM.
Tags for this Thread