0 Replies Latest reply on Sep 15, 2005 12:56 PM by Stan Dyck

    Authentication through an SSL Offloader: Incorrect Location

    Stan Dyck Newbie

      I have a web application running on jboss 3.2.7. My client has decided to run it through an SSL Offloader. User agents access the offloader server which handles encryption and decryption then forwards request to the non-ssl jboss server.

      I'm having a problem authenticating protected resources with this arrangement. When I make a request for a protected resource, say:

      https://offloader.example.com/app/protected/resource

      I am properly redirected to my login form. When I then POST the login form, I get a 302 Moved Temporarily response, but the Location header contains a non-ssl URI. Here is the request/response headers for the login form POST:

      POST /app/j_security_check HTTP/1.1
      Host: offloader.example.com
      User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6
      Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
      Accept-Language: en-us,en;q=0.5
      Accept-Encoding: gzip,deflate
      Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
      Keep-Alive: 300
      Connection: keep-alive
      Referer: https://offloader.example.com/app/protected/resource
      Cookie: JSESSIONID=BF689766D55E7AD2DE64A7771A47086D
      Content-Type: application/x-www-form-urlencoded
      Content-Length: 37
      
      j_username=test&j_password=test
      
      HTTP/1.x 302 Moved Temporarily
      Location: http://offloader.example.com/app/protected/resource
      Content-Length: 0
      Date: Wed, 14 Sep 2005 22:25:29 GMT
      Server: Apache-Coyote/1.1
      


      Note the Location header in the response is a port 80 URL. Since the offloader server doesn't expose port 80 to the world, the redirect times out.

      Note also that the JSESSIONID cookie is properly set and any further requests to protected resources now work, it's just the initial redirect that fails. Is there something I can do to configure this 302 response to produce an https Location header? I've perused the source code but I'm not familiar enough with it to be able to determine where this is happening.

      I realize this may be a Tomcat question, but I thought I'd try here first.