Tomcat behind Apache: Using SSL with j_security_check

Question

Hi guys, I have a little problem with using SSL on a Tomcat that is behind Apache. I have used Google all morning to try to find a good solution, but nothing so far.

As a part of my SSL VirtualHost configuration I have

<Location /MyApp/>
  ProxyPass http://localhost:8080/MyApp/
</Location>

This works fine for most cases, but j_security_check, after a successful login from https://mysite.com/MyApp, redirects to a HTTP page http://mysite.com/MyApp/secret.html instead of leaving it as a HTTPS page https://mysite.com/MyApp/secret.html. It's not only the login that's confidential, but the data that is being transmitted, so I need to keep it HTTPS. When I add to the application's security-contraints

<user-data-constraint>
  <transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>

it redirects to https://mysite.com:8443/MyApp/secret.html. I realize that it redirects to 8443 because server.xml has SSL configured to 8443, but since this is proxied through Apache, it should in fact be 443.

I realize I have no ProxyPassReverse, but that's not something I can add within a section of the Apache config file

How can I force j_security_check to either redirect relative (so not change https to http) or to redirect to 443 instead of 8443? Is this something I should enforce via Tomcat or Apache's mod_proxy?

Cheers

Nik

Answer 1

You can't really count on Tomcat to do the redirect to SSL for your setup. You need to write a filter to do the redirect yourself.

For your specific setup, it might work if you add redirectPort like this,

<Connector ... port="8080" redirectPort="443"/>

Please remove the HTTPS connector. It might confuse some version of Tomcat when you have both redirectPort and HTTPS connector. Sounds like you don't want people to access your HTTPS port anyway.

This only works when you have Apache and Tomcat on the same machine. In a production environment, that may not be the case.