• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Acegi redirects to http and not https? (advanced)

 
Mis Visning
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
(First, sorry if this topic is misplaced.)

I am using Acegi in a webapplication (with Tomcat), but I have a small problem in the production environment with https.

1) The login-page is https.
2) User types username and password and clicks "Log in".
3) IE 6.0 shows a warning "You are about to be redirected to a connection that is not secure bla bla", user clicks "Yes".
4) User is logged inn, and URL still shows https. The warning doesn't show up again.

I haven't heard any complaints yet, but a careful user might react that the password seemingly is sent over an insecure connection.
(However, this warning is NOT shown in IE 7.0, Opera or Firefox.)

I used a HTTP-sniffer tool to see what's going on, and indeed it seems like j_acegi_security_check redirects to an insecure http-connection.

When user clicks "Log in" this happens:

- 1 -
Request:
POST https://mydomain/j_acegi_security_check
Referer: "https://mydomain/login.htm"

Response:
Status: Moved Temporarily - 302
Location: http://mydomain/menu.htm

(This http is what triggers the warning in IE 6.0)

- 2 -
Request:
GET http://mydomain/menu.htm

Reponse:
Status: Object moved - 302
Location: https://mydomain/menu.htm

(So here the server tells the browser to try again with https)

- 3 -
Request:
GET https://mydomain/menu.htm

Response:
Status: OK - 200

(Browser does, and all is ok)
---

So why does j_acegi_security_check redirect to insecure http when it is called from https? Any settings to fix this? I have tried different settings for Acegi, like forceHttps, set menu.htm to require secure channel, portMapping, serverSideRedirect - but it still redirects to http.

As far as I can see, the problem is either:
1) Something in Acegi that I haven't managed to find out.
2) Maybe something in Tomcat? What?
3) Or maybe something in the reverse proxy controlling traffic to my server? Could that possibly be the case? I don't have access to this proxy, and no knowledge of it unfortunately.

Any help is greatly appreciated.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic