Announcement Announcement Module
Collapse
No announcement yet.
Spring security's HTTPS issue with load balance Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring security's HTTPS issue with load balance

    Hi there,

    I have one load balance + 2 web servers(appche)+2 app servers(tomcat)
    and install SSL cert on the load balance.
    using spring security version 2.0.4.

    http access is working fine. but when I try to use https//ab.com/login.jsp and login successfully, the target page changed back http.(e.g. http//ab.com/index.jsp)


    if I change the configuration for target index.jsp in the http tag as blow will encounter another error [Error 310 (net::ERR_TOO_MANY_REDIRECTS): There were too many redirects.]
    <intercept-url pattern="/indux.jsp" access="ROLE_ANONYMOUS" requires-channel="https"/>
    it looks like because of http connection between web server and app server, so spring security try to redirect to https.

    don't know how to solve this issue.
    Any advise/ideas. thanks in advance.

    Regards
    ZX
    Last edited by zhangxin; Apr 27th, 2011, 03:05 AM.

  • #2
    looks only affect spring security login/logout functions. the rest of functions are work fine.
    it looks again absolute path and relevant path issue as it be solved when I change default target index.jsp to https://ab.com/index.jsp in spring security configuration file.
    but it is not good solution as it fix url. I through AJP can solved it kindly of issue. but this time looks it does not work with spring security.

    any ideas....?

    thx

    Comment


    • #3
      Don't know why only affect spring security login/logout.

      Comment


      • #4
        I found it caused by RedirectUtil invoke response.sendRedirect(response.encodeRedirectURL(f inalUrl));

        As Known, the back-end app server does not aware the client use https as internal is plain http between web and app. Most of my applications are use struts forward other than redirect. that why not impacts on them.

        Now, I want to know spring security whether has solution on this scenario??

        Comment


        • #5
          Spring security is using http when it does the redirect because HttpServletRequest.getScheme() is http. The reason you are not having the issue with other redirects is likely because the redirect is not absolute. Spring Security follows the RFC and only specifies location header values of absolute URLs (i.e. absolute redirects) which are based upon the HttpServletRequest. One option is to configure all your DefaultRedirectStrategy's to be contextRelative (you could do this with a BeanPostProcessor as described in the FAQ). Another, to me more attractive option, is to configure Tomcat to be aware it is behind a proxy. You will want to refer to the Tomcat documentation to learn how to do this.

          HTH,

          Comment


          • #6
            Hi Rwinch,

            Thanks very much for your kindly help.

            For your option2, do I need to configure httpd (which one more layer between app and load balancer) as well. Any documentation can refer?

            For option 1, whehter version 2.04 also support change DefaultRedirectStrategy?

            Lastly, would I know what is different between relative and absolute redirection? what is con and pron?

            Comment


            • #7
              Originally posted by zhangxin View Post
              For your option2, do I need to configure httpd (which one more layer between app and load balancer) as well. Any documentation can refer?
              I would refer you to tomcat's documentation on how to do this. If you are having problems, the tomcat forums are likely the best option. I realize this response may appear to be rude, but in all honesty I am a novice at configuring tomcat for prod environments (I understand the basics and at a high level what needs to be done). Therefore, I am guiding you to the tomcat experts so that you get the correct setup. I would encourage you to respond back to this thread and post your setup so that others can use this information too (it would be a great way to give back to the community).

              Originally posted by zhangxin View Post
              For option 1, whehter version 2.04 also support change DefaultRedirectStrategy?
              Sorry I did not notice that you were using 2.x. This option does not work for 2.x. The only way I can think of making this an option is by overriding the HttpServletResponse.sendRedirect method to remove the scheme, host, and port by using an HttpServletResponseWrapper.

              Originally posted by zhangxin View Post
              Lastly, would I know what is different between relative and absolute redirection? what is con and pron?
              The difference is that the RFC states you should use absolute URLs. For all practical purposes most browsers will support relative redirects, but technically absolute URLs are correct and are what is guaranteed to work.

              Comment


              • #8
                hi zhangxin, in order for this https redirection to work, you have to configure your application server. the spring security would expect an http if you pass an http request and expects https if you pass through https. SSL configuration should be done in the application server and not in spring security configuration. perhaps this might help you in configuring your tomcat server.. http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
                Last edited by maeve08; May 2nd, 2011, 11:21 AM. Reason: wrong quote

                Comment


                • #9
                  Hi Rob,

                  Thank for your response. Definetely I will post my solutions once I done.
                  Right now I may have three ways to solve it
                  1. change to absolute redirection in spring security xml. [can be done and test]
                  2. change the setting on the load balancer which force every http request to https. [have not test yet]
                  3. change the setting on the web server(httpd). may need to rewrite some header information [looking into this]

                  Hi Maeve08, thank for your suggestion. but installed cert on the APP servers will need more mantenace cost and more operations needed. So we decide install cert on the load balancer instead as it is single entry poin and more easy extend app/web server when traffic load keep increasing.

                  Regards
                  ZX

                  Comment


                  • #10
                    One other option would be to create a Filter and use an HttpServletRequestWrapper to override the fields on HttpServletRequest. To me this seems less appealing since you need to write custom code. Additionally, you likely need to do some sort of rewriting (i.e. insert/remove a custom header to indicate if it is https) anyways since you would need some way to indicate if it was http or https.

                    Comment


                    • #11
                      Hi Guys, I am exactly having the same problem. Its working for all pages except for login/logout. So I am trying to configure DefaultRedirectStrategy to set contextRelative to true by BeanPostProcessor. But BeanPostProcessor doesn't work for DefaultRedirectStrategy. I am using Spring 3.0.5 version.

                      Here is my bean configs,

                      Security.xml
                      Code:
                      <http use-expressions="true">
                      		<intercept-url pattern="/" requires-channel="any" access="permitAll" />
                      		<intercept-url pattern="/login" requires-channel="any" access="permitAll" />
                      		<intercept-url pattern="/error" requires-channel="any" access="permitAll" />
                      		<intercept-url pattern="/version" requires-channel="any" access="permitAll" />
                      		<intercept-url pattern="/home" requires-channel="any" access="isAuthenticated()" />
                      		<intercept-url pattern="/article/*" requires-channel="any" access="isAuthenticated()" />
                      		<intercept-url pattern="/resource/**" requires-channel="any" access="isAuthenticated()" />
                      		<form-login login-page="/login" />
                      		<logout />
                      .....
                      BeanConfig.xml
                      Code:
                      ...
                      <bean class="com.bskyb.mobile.web.today.utils.DefaultRedirectStrategyBeanPostProcessor" />
                      ....
                      DefaultRedirectStrategyBeanPostProcessor.java
                      Code:
                      public class DefaultRedirectStrategyBeanPostProcessor implements BeanPostProcessor{
                      
                      	/* (non-Javadoc)
                      	 * @see org.springframework.beans.factory.config.BeanPostProcessor#postProcessAfterInitialization(java.lang.Object, java.lang.String)
                      	 */
                      	@Override
                      	public Object postProcessAfterInitialization(Object arg0, String arg1)
                      			throws BeansException {
                      		// TODO Auto-generated method stub
                      		return arg0;
                      	}
                      
                      	/* (non-Javadoc)
                      	 * @see org.springframework.beans.factory.config.BeanPostProcessor#postProcessBeforeInitialization(java.lang.Object, java.lang.String)
                      	 */
                      	@Override
                      	public Object postProcessBeforeInitialization(Object arg0, String arg1)
                      			throws BeansException {
                      		
                      		if (arg0 instanceof DefaultRedirectStrategy)
                      		{
                      			((DefaultRedirectStrategy)arg0).setContextRelative(true);
                      		}
                      		
                      		return arg0;
                      	}
                      I can not upgrade spring version as we are near production release.

                      can you please some one advice me how do I overcome this issue?

                      Thanks.

                      Comment


                      • #12
                        Hi aniananth,

                        So far I have tried two solutions successful:
                        1) using full path (absolution redirect) in security.xml
                        <form-login login-page="/login.jsp" default-target-url="your vip/webapplication/index.jsp" authentication-failure-url="your vip/webapplication/login.jsp?error=true" />
                        2) you can try find whether your load balencer support force redirect http to https. if so, then all http request will be forece redirect https request.

                        Comment


                        • #13
                          In addition, many containers support proxies directly by allowing the scheme to be overriden/host/port to be overriden. Search for your container name (i.e. Tomcat, WebSphere, etc) and using a proxy.

                          For example tomcat you can set the scheme on the connector to be https (even if the load balancer is connecting via http). See scheme attribute in the common attributes.

                          Websphere has a few custom properties that do the same thing.
                          Code:
                          com.ibm.ws.webcontainer.extractHostHeaderPort = true
                          trusthostheaderport = true
                          httpsIndicatorHeader = com.ibm.ws.httpsIndicatorHeader

                          Comment


                          • #14
                            Hi Rwinch,

                            It is great. but for my case, I cannot use this feature because the SSL cert installed on the load balencer other than my app servers

                            Comment


                            • #15
                              Hi Guys,

                              Thanks for all your replies.

                              Reasons why I can not use the absolute path are,
                              • My SSL cert also resides in load balancer
                              • Also for a single environment we have internal access and external access where we sometime access the node or vip or load balancer...etc directly. This is not too much concern as the first seems blocking anyway.

                              My env is a tomcat end to end.

                              Today I will try second option I mean force redirect http to https on load balancer.

                              Other question, is this solved in later versions? like 3.1.0.M1 or M2. I have seen some change log related to this. https://jira.springsource.org/browse/SEC-1496

                              If so how do I use that, but this is my last last option at worst case.

                              Thanks guys.

                              cheers.

                              Comment

                              Working...
                              X