Announcement Announcement Module
No announcement yet.
Amazon Web Services Load Balancer + Tomcat + Spring security issue Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Amazon Web Services Load Balancer + Tomcat + Spring security issue


    We are trying to configure elastic load balancer on Amazon web services (
    AWS) on a couple of EC2 instance with Tomcat running on them. We are routing the port 80 on load balancer to Tomcat port 8080 on http and it is working fine. However, for https protocol when we route port 443 on Load balancer to port 8443 on tomcat and call j_spring_security_check the request is not responding. Is there any know issue regarding this setup? Is there any configuration that need to be setup on spring security or tomcat or the load balancer side?

    We have purposely disabled SSL in Tomcat, as the https call is made on the load balancer url rather than Tomcat directly.

    My spring security xml is as follows

    <global-method-security pre-post-annotations="enabled">
    	<http use-expressions="true">
    		<intercept-url pattern="/**/index.html" access="permitAll" />
    		<intercept-url pattern="/index.html" access="permitAll" />
    		<intercept-url pattern="/**/login.jsp" access="permitAll" />
    		<intercept-url pattern="/*.jsp" access="isAuthenticated()" />
    		<intercept-url pattern="/**/*.jsp" access="isAuthenticated()" />
    		<form-login login-page="/"  />
    		<logout invalidate-session="true" logout-success-url="/index.html"
    			logout-url="/j_spring_security_logout" />
    		<session-management invalid-session-url="/index.html">
    			<concurrency-control max-sessions="50"
    				error-if-maximum-exceeded="true" />
    		<authentication-provider ref='ShrisAuthenticationProvider'>
    	<beans:bean id="ShrisAuthenticationProvider" class="">
    My tomcat server.xml configuration is as follows with the connectors

        <Connector port="8080" protocol="HTTP/1.1" 
                   redirectPort="8443" />
    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="false"
                   maxThreads="150" scheme="https" secure="false"
                   clientAuth="false" sslProtocol="TLS"
    Your help is greatly appreciated


  • #2
    What do you mean by "the request is not responding"? Can you make any request on that port? And can you successfully perform a redirect from a request to another URL within the application?

    If not, then this is not a Spring Security issue and you should make sure you have your tomcat configuration set up properly for proxying before trying to use Spring Security with it.


    • #3

      Yes, I am able to redirect a https call from the load balancer to the tomcat application to serve up a simple html page. However when I try to load the following login jsp page from the load balancer it is not returning back. All it says in the bottom browser status bar is "waiting for http://......./j_spring_security_check...

      <?xml version="1.0" encoding="ISO-8859-1" ?>
      <%@ page language="java" contentType="text/html; charset=ISO-8859-1"
      <body bgcolor="#FFFFFF">
      <form action="j_spring_security_check" method="post">
       <label for="j_username"></label>
        <label for="j_password"></label>
         <table width="241" border="0" align="center" cellpadding="0" cellspacing="0" bordercolor="#1DB6E2">
          <td class="style13"><input id="j_username" name="j_username" size="20" maxlength="50" type="text"/></td>
          <td width="120" class="style13"><input id="j_password" name="j_password" size="20" maxlength="50" type="password"/></td>
      Thanks for your quick response.



      • #4
        Why you say you are loading the jsp, do you mean submitting the form that is in that JSP or trying to load the JSP itself?

        A few things to check:
        • Did you make sure the address in the browser is the correct value (i.e. is it submitting to the https if it is suppose to, the correct host is being used, the correct port is being used)?
        • Does the request actually get to the application? If so, what do the logs for the request look like?