I have a web application running on jboss 3.2.7. My client has decided to run it through an SSL Offloader. User agents access the offloader server which handles encryption and decryption then forwards request to the non-ssl jboss server.
I'm having a problem authenticating protected resources with this arrangement. When I make a request for a protected resource, say:
https://offloader.example.com/app/protected/resource
I am properly redirected to my login form. When I then POST the login form, I get a 302 Moved Temporarily response, but the Location header contains a non-ssl URI. Here is the request/response headers for the login form POST:
POST /app/j_security_check HTTP/1.1 Host: offloader.example.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: https://offloader.example.com/app/protected/resource Cookie: JSESSIONID=BF689766D55E7AD2DE64A7771A47086D Content-Type: application/x-www-form-urlencoded Content-Length: 37 j_username=test&j_password=test HTTP/1.x 302 Moved Temporarily Location: http://offloader.example.com/app/protected/resource Content-Length: 0 Date: Wed, 14 Sep 2005 22:25:29 GMT Server: Apache-Coyote/1.1