May 17th, 2007, 12:29 PM
secure redirect behind load balancer
We have some apps that are run behind a load balancer and the balancer also handles ssl encryption. All requests internally are handled on a single none secure port (8080). The request header has a flag to mark if the request is secure.
When a request comes in that starts on https and I return a redirect (eg. viewName="redirect:somepage.do"), it sends a redirect with an insecure url. Is there a way to configure spring to be aware of the request header and return a secure url? Id rather not have to add code to all my controllers to return the correct ModelAndView.
Thanks in advance,
May 17th, 2007, 01:15 PM
For some application servers (weblogic, etc), the redirect to HTTPS is controlled via web.xml. For weblogic, if you add the appropriate http header, weblogic will accept non http connection as https as it is assuming the SSL was front-end offloaded. This shouldn't be a spring issue, AFIK.
May 18th, 2007, 10:04 AM
We were using Cisco's Content Switch Balancing and ran into the same issue. There is nothing Spring Can do about it, as the Switch was turning an SSL request to non ssl request before forwarding it our webpage.
The only way around this issue is that Configure the Switch correctly. We had set a flag in the switch to turn the flag on where it says that even if it is a redirect, change http to https. ( a very simple flag setting, nothing fancy)
Mar 10th, 2008, 09:36 AM
I ended up customizing UrlBasedViewResolver and RedirectView
I had the very same issue - the load balancer was offloading SSL encryption/decryption and passing the request along on port 80. Spring's redirect notion ('redirect:') for relative URLs responds on the same protocol as the incoming request so all my redirects went out on port 80.
Fortunately our load balancer injects a header indicating that the request came in on SSL. I extended UrlBasedViewResolver to intercept relative 'redirect:' s (I left explicit fully-qualified redirects alone) and then extended RedirectView to check the request header for the load-balancer-injected flag and build an https: response if necessary.
Hope this helps. Drop me a line if you need more info.
Last edited by sams_6; Mar 10th, 2008 at 09:37 AM.
Aug 18th, 2008, 08:14 PM
i'm in the same boat, but i also need to configure spring web flow to do the same thing, and i can't figure out how to do it...do you have any ideas?
Originally Posted by sams_6