R
robert.pappas
Greetings!
We have implemented an HTTPS application on Tomcat, and we run multiple
Application Servers for load-balancing.
Without getting into all the details of what and WHY....we have a
hardware SSL decoder in front of our load balancer.
So, the user browser submits an https request, and the SSL decoder
turns it into an http request, and Tomcat processes the http request.
The only problem is, every time Tomcat generates a page redirect, it
sends a fully qualified URL back to the browser, and it prepends "http"
onto the URL. (Tomcat thinks we are running an http side, but we are
actually running an https site).
And when the user browser receives an "http" redirect after sending an
"https" request, it pops up a security warning to the user. (At least
Internet Explorer does.)
Is there any way to tell Tomcat "Hey, I know the requests are coming in
as http, but please generate all outbound redirects as https!!!"
I found that you could set the "scheme" parameter on a Tomcat
Connector, and that kinda works, but it breaks the Tomcat Login Process
(j_security_check), because j_security_check adds a port number (80) to
the URL. And you end up with an https request going to port
80....which causes a nasty error.
How about we give up on Tomcat and try WebSphere or a commercial
Application Server? Do THEY handle this better?
Any help desperately appreciated!!!
Robert Pappas
(e-mail address removed)
We have implemented an HTTPS application on Tomcat, and we run multiple
Application Servers for load-balancing.
Without getting into all the details of what and WHY....we have a
hardware SSL decoder in front of our load balancer.
So, the user browser submits an https request, and the SSL decoder
turns it into an http request, and Tomcat processes the http request.
The only problem is, every time Tomcat generates a page redirect, it
sends a fully qualified URL back to the browser, and it prepends "http"
onto the URL. (Tomcat thinks we are running an http side, but we are
actually running an https site).
And when the user browser receives an "http" redirect after sending an
"https" request, it pops up a security warning to the user. (At least
Internet Explorer does.)
Is there any way to tell Tomcat "Hey, I know the requests are coming in
as http, but please generate all outbound redirects as https!!!"
I found that you could set the "scheme" parameter on a Tomcat
Connector, and that kinda works, but it breaks the Tomcat Login Process
(j_security_check), because j_security_check adds a port number (80) to
the URL. And you end up with an https request going to port
80....which causes a nasty error.
How about we give up on Tomcat and try WebSphere or a commercial
Application Server? Do THEY handle this better?
Any help desperately appreciated!!!
Robert Pappas
(e-mail address removed)