wood burning stoves*
The moose likes Other Java Products and Servers and the fly likes Acegi redirects to http and not https? (advanced) Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


JavaRanch » Java Forums » Products » Other Java Products and Servers
Bookmark "Acegi redirects to http and not https? (advanced)" Watch "Acegi redirects to http and not https? (advanced)" New topic
Author

Acegi redirects to http and not https? (advanced)

Mis Visning
Greenhorn

Joined: May 23, 2007
Posts: 4
(First, sorry if this topic is misplaced.)

I am using Acegi in a webapplication (with Tomcat), but I have a small problem in the production environment with https.

1) The login-page is https.
2) User types username and password and clicks "Log in".
3) IE 6.0 shows a warning "You are about to be redirected to a connection that is not secure bla bla", user clicks "Yes".
4) User is logged inn, and URL still shows https. The warning doesn't show up again.

I haven't heard any complaints yet, but a careful user might react that the password seemingly is sent over an insecure connection.
(However, this warning is NOT shown in IE 7.0, Opera or Firefox.)

I used a HTTP-sniffer tool to see what's going on, and indeed it seems like j_acegi_security_check redirects to an insecure http-connection.

When user clicks "Log in" this happens:

- 1 -
Request:
POST https://mydomain/j_acegi_security_check
Referer: "https://mydomain/login.htm"

Response:
Status: Moved Temporarily - 302
Location: http://mydomain/menu.htm

(This http is what triggers the warning in IE 6.0)

- 2 -
Request:
GET http://mydomain/menu.htm

Reponse:
Status: Object moved - 302
Location: https://mydomain/menu.htm

(So here the server tells the browser to try again with https)

- 3 -
Request:
GET https://mydomain/menu.htm

Response:
Status: OK - 200

(Browser does, and all is ok)
---

So why does j_acegi_security_check redirect to insecure http when it is called from https? Any settings to fix this? I have tried different settings for Acegi, like forceHttps, set menu.htm to require secure channel, portMapping, serverSideRedirect - but it still redirects to http.

As far as I can see, the problem is either:
1) Something in Acegi that I haven't managed to find out.
2) Maybe something in Tomcat? What?
3) Or maybe something in the reverse proxy controlling traffic to my server? Could that possibly be the case? I don't have access to this proxy, and no knowledge of it unfortunately.

Any help is greatly appreciated.
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: Acegi redirects to http and not https? (advanced)