apache proxy and Spring logout issue

Dear all,

I've configured apache to proxy HTTPS connections to a Spring-boot/Tomcat application using ajp.  All works fine except for the session timeout, I think.

If I don't logout from the application, after a while Spring automatically logout me from the application but instead of redirecting to the https://server/login, the browser goes in the http://server/login so I receive a Not Found error.

Is there a way to solve the issue?

Check your browser's navigation bar. Just because the GET URL for the login is HTTP doesn't mean that the login form returned will also be HTTP. If the "padlock icon" is set in the navigation form then the actual login data is secure.

Often these days webapp servers will automatically redirect http to https if you configure them properly. I do that on my nginx proxies.

Tim Holloway wrote:Check your browser's navigation bar. Just because the GET URL for the login is HTTP doesn't mean that the login form returned will also be HTTP. If the "padlock icon" is set in the navigation form then the actual login data is secure.

Often these days webapp servers will automatically redirect http to https if you configure them properly. I do that on my nginx proxies.

Ok, but  after a period of inactivity, Spring/Tomcat automatically logout me and I'll redirect to a unsecure connection that give me a 404 Not found. In the navigation bar there isn't the padlock icon.

OK. Be patient.

My normal mode for webapp security is to use the JEE-standard Container Managed Security system. CMS makes Tomcat do most of the work by intercepting incoming URLs and matching them against security rules in the /WEB-INF/web,xml file (or equivalents). If the URL matches a secured pattern, then Tomcat parks the request and displays the login form or dialog configured in web.xml. This is all automatic and done outside of the web application itself and the application will never see the incoming request unless the user logged in successfully.

Some things to note is that the login page has no URL - if you have a login form page and attempt to access it yourself, the request will fail because manual requests don't have the Tomcat security subsystem controlling them. In point of fact, my apps don't normally expect a login page. You can bookmark any page in your browser and go straight to the bookmarked page. If you're not logged in and the bookmarked URL is a secured URL, Tomcat will force the login process, otherwise you go straight to the bookmark.

That's a personal preference. I may/usually do have a (non-secured) Welcome page for people who don't have bookmarks, but the direct navigation option is always an option. And, incidentally, if you are running in a Single Sign-On environment, that's a good thing, because with SSO, you might have logged in elsewhere and never log in to Tomcat directly.

Originally, in fact, it was not possible to use the JEE standard security while doing manual logins, but a while back, a login API was added so that people who like to do things like put a mini login form on their web pages could use it.

You, however, are dealing with Spring Security and I am ashamed to confess that I have not bothered to develop an expertise in its details and how it interacts with JEE standard security. It's not like anyone has bothered to pay me to do so, so I let it slide.

But - again - be patient, because I've been working on a Spring Boot app this past month and having almost completely run out of "fun" things to do, I'm about to switch security on. So I'll be coming up to speed on it very soon and should be able to better advise you.

In the mean time, you might be able to add a servlet filter that checks for the existence of an HTTPSession object and if the incoming request doesn't have one, forces an HTTP 302-style redirect to your login. With an https:// URL. Spring can probably (and likely does) do something like that itself, but I think it will allow you to interject your own filter.

Interim update.

Spring itself should not be worrying about http/https (in fact, in some situations either one would be applied depending, for example, on whether it's an external or internal network talking). So the bulk of the URL security workload goes to Apache.

As I mentioned earlier, Apache is commonly configured these days to send ALL incoming HTTP requests to HTTPS, so even if a request responds with an "http://" URL, Apache would reply with an encrypted login page that in turn made an encrypted login request.

This looks like a good page for info on that: https://linuxize.com/post/redirect-http-to-https-in-apache/

This is actually important because historically any manually-entered URL would be HTTP, even if you actually wanted HTTPS. Some browsers have begun to change the default, but it's not safe to assume - let Apache make sure.

I did run across some tricks that claim to re-write outbound URLs from Tomcat to HTTPS, but the ultimate security guard - again - should be on what's inbound, so that's not essential.

Thank you. I configured apache to redirect all HTTP connections to HTTPS. The redirection seems to work fine, except for the URL that becomes https://myserver.comlogin

I wrote:

<VirtualHost *:80>          ServerName myserver.com          Redirect permanent / https://myserver.com/        </VirtualHost>

But instead of creating an https://myserver.com/login I receive the https://myserver.comlogin that doesn't exist. How can solve the problem?

I would check the Spring security config. I'm doing JSF in Spring Boot, so what I have will differ, but mine looks like this:
http.formLogin().loginPage("/login.xhtml")
That leading slash is important!

In the Controller I've

@RequestMapping(value = {"/", "/login"}, method = RequestMethod.GET)


and in the WebSecurityConfig:

.loginPage("/login").failureUrl("/login?error=true")                .usernameParameter("email")                .passwordParameter("password")                .and().logout()                .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))                .logoutSuccessUrl("/login?logout=true").and().exceptionHandling().accessDeniedHandler(accessDeniedHandler());

I'd guess that it's an Apache problem. Check the VirtualHost definition for your HTTPS port and make sure it isn't rewriting incoming URLs in a way that removes the "/" before "login".

I tried to enable the Rewrite as follow:

<VirtualHost *:80>          ServerName myserver.com          Redirect / https://myserver.com/login          Redirect /login https://myserver.com/login        </VirtualHost>


But seems not working. I'm redirecting again to https://myserver.comlogin