I have a web application running on jboss 3.2.7. My client has decided to run it through an SSL Offloader. User agents access the offloader server which handles encryption and decryption then forwards request to the non-ssl jboss server.

I'm having a problem authenticating protected resources with this arrangement. When I make a request for a protected resource, say:

https://offloader.example.com/app/protected/resource

I am properly redirected to my login form. When I then POST the login form, I get a 302 Moved Temporarily response, but the Location header contains a non-ssl URI. Here is the request/response headers for the login form POST:

POST /app/j_security_check HTTP/1.1
Host: offloader.example.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://offloader.example.com/app/protected/resource
Cookie: JSESSIONID=BF689766D55E7AD2DE64A7771A47086D
Content-Type: application/x-www-form-urlencoded
Content-Length: 37

j_username=test&j_password=test

HTTP/1.x 302 Moved Temporarily
Location: http://offloader.example.com/app/protected/resource
Content-Length: 0
Date: Wed, 14 Sep 2005 22:25:29 GMT
Server: Apache-Coyote/1.1

Note the Location header in the response is a port 80 URL. Since the offloader server doesn't expose port 80 to the world, the redirect times out.

Note also that the JSESSIONID cookie is properly set and any further requests to protected resources now work, it's just the initial redirect that fails. Is there something I can do to configure this 302 response to produce an https Location header? I've perused the source code but I'm not familiar enough with it to be able to determine where this is happening.

I realize this may be a Tomcat question, but I thought I'd try here first.