Why is port 80 added with Spring Security in https?

0
votes

On login, my application is redirected from 443 to 80 : The original URL is https://myhost.com/myapp/login.jsp but when I submit the URL https ://myhost.com/myapp/j_spring_security_check is called, and on login success, try to connect to https://myhost.com:80/myapp/

The URL https ://myhost.com/myapp/login.jsp call a apache server. This apache called a tomcat with http (port 11080).

The login action is handled with Spring Security with that config :

<?xml version="1.0" encoding="UTF-8"?>

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">
    <global-method-security secured-annotations="enabled">
    </global-method-security>
    <http auto-config="true">
        <intercept-url pattern="/faces/secure/**" access="ROLE_ADMIN" />
        <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?login_error=1"/>
        <logout logout-success-url="/index.jsp"/>
        <concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="true"/>
    </http>
    <authentication-provider>
        <jdbc-user-service data-source-ref="dataSource"/>
    </authentication-provider>
</beans:beans>

This problem is only with login and logout actions, so I think Spring Security is the problem.

Everything works fine and there is no redirection when the original URL don't use default https port 443 : https ://myhost.com:12345/myapp/login.jsp

Everything works fine too when apache called Tomcat with protocol ajp.

Unfortunately, I have to call apache on port 443 and Tomcat with protocol http.

The thread Spring Security Https Wrong Port is nearly my problem, except I don't called Tomcat with https, but with http.

My Tomcat configuration for connectors is :

<Connector port="11080" maxHttpHeaderSize="8192"
           maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
           enableLookups="false" redirectPort="8443" acceptCount="100"
           connectionTimeout="20000" disableUploadTimeout="true" />

<Connector port="11009" 
           enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />
2
javatomcatspring-security
Please post your tomcat connector configuration. It is likely there is a problem with the internal server configuration (which is used for redirects). The fact that it works when you are using AJP makes this even more likely. - Shaun the Sheep

2 Answers

0
votes

The problem seems to be the instruction response.sendRedirect which is in Spring security to login, and in my application to logout :

response.sendRedirect(response.encodeRedirectURL(finalUrl));

To solve the problem, I added a valve in tomcat as described in this article : http://blog.inuus.com/vox/2009/04/tomcat-and-ssl-accelerators.html

0
votes

The accepted answer is suggesting a custom valve relying on a Microsoft-specific header (Front-End-Https). Instead, you should be using the already provided RemoteIpValve and rely on the de-facto standard x-forwarded-proto header.

The reason AJP proxy works with no additional effort is that it is a binary protocol, so there is no HTTP call between the web server/load balancer and Tomcat, thus no schema/port changing problem.