5

I am using Spring Secutiry framework in web-application. I have installed an SSL certificate and able to get to my application via https. Now, when I added requires-channel="https" attribute to all intercept-url directive the server responses:

Error 310 (net::ERR_TOO_MANY_REDIRECTS) to many connections

The spring runs this code every time:

64050 [http-bio-8080-exec-1] DEBUG org.springframework.security.web.FilterChainProxy  - / at position 1 of 12 in additional filter chain; firing Filter: 'ChannelProcessingFilter'
64050 [http-bio-8080-exec-1] DEBUG org.springframework.security.web.util.AntPathRequestMatcher  - Checking match of request : '/'; against '/'
64050 [http-bio-8080-exec-1] DEBUG org.springframework.security.web.access.channel.ChannelProcessingFilter  - Request: FilterInvocation: URL: /; ConfigAttributes: [REQUIRES_SECURE_CHANNEL]
64050 [http-bio-8080-exec-1] DEBUG org.springframework.security.web.access.channel.RetryWithHttpsEntryPoint  - Redirecting to: https://sky-handling.ejl-group.com/
64050 [http-bio-8080-exec-1] DEBUG org.springframework.security.web.DefaultRedirectStrategy  - Redirecting to 'https://sub.domain.com/'

How can I solve that?

Thank you

UPD #1:

<http use-expressions="true">
  <form-login login-page="/wellcome/" login-processing-url="/login" default-target-url="/" always-use-default-target="false"
            authentication-failure-url="/wellcome/?error=1" username-parameter="email" password-parameter="password" />
  <remember-me key="temp" token-validity-seconds="-1" />
  <logout invalidate-session="true" logout-success-url="/" logout-url="/logout"/>
  <intercept-url pattern="/" access="authenticated"/>
  <intercept-url pattern="/administration/**" access="authenticated"/>
  <intercept-url pattern="/wellcome/" access="permitAll"/>
  <intercept-url pattern="/login" access="permitAll"/>
  <custom-filter ref="ajaxTimeoutRedirectFilter" after="EXCEPTION_TRANSLATION_FILTER"/>
</http>

I imported the existing certificate to keystore and configured the tomcat, but if I add such lines:

<VirtualHost _default_:443>
        SSLEngine on
        SSLCertificateFile /usr/local/ssl/crt/public.crt
        SSLCertificateKeyFile /usr/local/ssl/private/*.ejl-group.com.key
        SSLCACertificateFile /usr/local/ssl/crt/intermediate.crt
        ServerName sub.domain.com
        ProxyRequests Off
        ProxyPreserveHost On
        <Proxy *>
                Order deny,allow
                Allow from all
        </Proxy>
        ProxyPass / http://localhost:8443/
        ProxyPassReverse / http://localhost:8443/
</VirtualHost>

it fails with 503 Service Temporarily Unavailable error

nKognito
  • 6,297
  • 17
  • 77
  • 138

2 Answers2

5

I fixed this by adding port-mapping in security.xml file :

<http>
   <port-mappings>
        <port-mapping http="8088" https="8443"/>
        <port-mapping http="80" https="443"/>
   </port-mappings>
</http>

This blog helped me : http://consultingblogs.emc.com/richardtiffin/archive/2010/10/15/applying-ssl-to-a-spring-web-application-on-tomcat.aspx

And if you are behind a load balancer, you have to add some code : Offloading https to load balancers with Spring Security

Community
  • 1
  • 1
Jean-Baptiste Lemée
  • 800
  • 7
  • 13
1

I think these 2 lines are the key:

    ProxyPass / http://localhost:8443/
    ProxyPassReverse / http://localhost:8443/

Notice that you specify http here, not https. So what's happening is that when a client accesses your website through the default HTTPS port (443), httpd forwards request to the tomcat instance using the http scheme. Then, tomcat tries to redirect to HTTPS/443 port, then httpd forwards request to the tomcat instance via using the http scheme and so on.

I'm not sure whether it will work if you simply change the sceme to https, but give it a try.

Though I'm not aware of your security requirements, usually it's not necessary to have an SSL-secured link between an httpd front-end and tomcat back-end. Consider using simple HTTP here or may be even AJP

maksim_khokhlov
  • 794
  • 5
  • 8