Channel Security behind SSL Accelerator
I have the following scenario.
Load Balancer(LB) (with SSL HW Accelerator) -> Web Server (WS) -> App Server (AS) running acegi.
Pretty standard. A browser can have http or https connections to the LB but downstream, the WS and AS only receive http connections. We originally forced all traffic to be https (via redirectors) but now are looking at selective channel security. I've used acegi's channel security on other projects but the AS handled the SSL so no problem.
The only way I can figure out how to make this work is to create a custom channel processor that looks at the server port to make the decision. The default SecureChannelProcessor didn't work because the LB isn't reporting the connection isSecure to the AS. My approach does work but it has a slightly bad smell. Surely others have worked with channel filtering where the SSL processing is handled upstream of the AS/acegi layer. How have others done this?
BTW, I looked into what options either the LB or even our WS could set to indicate if the user was in a secure connection or not. I didn't see any but may have missed them....
My implementation goes something like this:
The implementation of PortBasedChannelProcessor simply uses the portMapper to test if portMapper.lookupHttpPort(request.getServerPort() ) returns a value (indicating we are running on a port designated as https according to our port mapper. The implementation has a flag which can cause it to lookup https ports so the processor can be used as an insecure decider too.Code:<bean id="secureChannelProcessor" class="my.package.PortBasedChannelProcessor"> <property name="entryPoint" ref="secureChannelEntryPoint"/> <property name="portMapper" ref="portMapper" /> <property name="secureKeyword" value="REQUIRES_SECURE_CHANNEL"/> </bean>
Pretty simplistic but it seems to work.
Thanks in advance.
David
