We have a GlassFish 4.1 web-application with SSL and port unification configured in domain.xml.
We cannot use built-in authentication mechanisms like BASIC, FORM, CERT-CLIENT. Instead, we use a custom login form (using the Stripes framework - https://github.com/StripesFramework).
We want to redirect all http requests to https, but in IE11 it does not work as expected: the HTTP link is converted into an HTTPS link only on the first access in the browser. Then if the HTTP link is used again in the same browser page, it is no longer replaced with HTTPS.
The issue only appears in Internet Explorer (we're using version 11).
We have tried putting this code in web.xml, as specified in the docs (https://docs.oracle.com/cd/E19226-01/820-7627/bncbk/index.html):
<security-constraint>
<display-name>Require HTTPS</display-name>
<web-resource-collection>
<web-resource-name>EntireApplication</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
It works as expected the first time an http link pointing to the app login page is accessed, that is the URL prefix correctly changes from http to https before the page is displayed: http://webapp:8090/ctx_root/ to https://webapp:8090/ctx_root/.
But if afterwards I remove the s from the https prefix in the URL bar (only in IE11), and I press Enter, the http:// prefix is no longer replaced with https:// and the user gets a non-secure version of the login page, with some warnings in the Console: "HTTP security is compromised by http://webapp:8090/ctx_root/js/main.js". However, if the SSL state is cleared in the browser before the second try, the page is again redirected to HTTPS accordingly.
This doesn't happen in Chrome, where each and every time the link changes correctly from http to https.
This is the content of domain.xml:
<network-config>
<protocols>
<protocol name="http-listener-1">
<http encoded-slash-enabled="true" default-virtual-server="server">
<file-cache></file-cache>
</http>
</protocol>
<protocol name="http-listener-2" security-enabled="true">
<http encoded-slash-enabled="true" default-virtual-server="server">
<file-cache></file-cache>
</http>
<ssl ssl3-enabled="false" classname="com.sun.enterprise.security.ssl.GlassfishSSLImpl" cert-nickname="mycert"></ssl>
</protocol>
....
<protocol name="http-redirect">
<http-redirect secure="true"></http-redirect>
</protocol>
<protocol name="pu-protocol-http">
<port-unification>
<protocol-finder protocol="http-listener-2" classname="org.glassfish.grizzly.config.portunif.HttpProtocolFinder" name="http-finder"></protocol-finder>
<protocol-finder protocol="http-redirect" classname="org.glassfish.grizzly.config.portunif.HttpProtocolFinder" name="http-redirect"></protocol-finder>
</port-unification>
</protocol>
</protocols>
<network-listeners>
<network-listener protocol="pu-protocol-admin" port="4848" name="admin-listener" thread-pool="admin-thread-pool" transport="tcp"></network-listener>
<network-listener protocol="pu-protocol-http" port="8090" name="http-listener-1" thread-pool="http-thread-pool" transport="tcp"></network-listener>
</network-listeners>
<transports>
<transport name="tcp"></transport>
</transports>
</network-config>
Any idea why HTTP to HTTPS redirection works only the first time the http link is accessed? Could it be an IE11 or firewall issue?
