Win a copy of Rust Web Development this week in the Other Languages forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Tim Cooke
  • Campbell Ritchie
  • Ron McLeod
  • Liutauras Vilda
  • Jeanne Boyarsky
Sheriffs:
  • Junilu Lacar
  • Rob Spoor
  • Paul Clapham
Saloon Keepers:
  • Tim Holloway
  • Tim Moores
  • Jesse Silverman
  • Stephan van Hulst
  • Carey Brown
Bartenders:
  • Al Hobbs
  • Piet Souris
  • Frits Walraven

apache proxy and Spring logout issue

 
Enrico Morelli
Ranch Hand
Posts: 39
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Dear all,

I've configured apache to proxy HTTPS connections to a Spring-boot/Tomcat application using ajp.  All works fine except for the session timeout, I think.

If I don't logout from the application, after a while Spring automatically logout me from the application but instead of redirecting to the https://server/login, the browser goes in the http://server/login so I receive a Not Found error.

Is there a way to solve the issue?
 
Tim Holloway
Saloon Keeper
Posts: 24825
172
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Check your browser's navigation bar. Just because the GET URL for the login is HTTP doesn't mean that the login form returned will also be HTTP. If the "padlock icon" is set in the navigation form then the actual login data is secure.

Often these days webapp servers will automatically redirect http to https if you configure them properly. I do that on my nginx proxies.
 
Enrico Morelli
Ranch Hand
Posts: 39
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Tim Holloway wrote:Check your browser's navigation bar. Just because the GET URL for the login is HTTP doesn't mean that the login form returned will also be HTTP. If the "padlock icon" is set in the navigation form then the actual login data is secure.

Often these days webapp servers will automatically redirect http to https if you configure them properly. I do that on my nginx proxies.



Ok, but  after a period of inactivity, Spring/Tomcat automatically logout me and I'll redirect to a unsecure connection that give me a 404 Not found. In the navigation bar there isn't the padlock icon.
 
Tim Holloway
Saloon Keeper
Posts: 24825
172
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
OK. Be patient.

My normal mode for webapp security is to use the JEE-standard Container Managed Security system. CMS makes Tomcat do most of the work by intercepting incoming URLs and matching them against security rules in the /WEB-INF/web,xml file (or equivalents). If the URL matches a secured pattern, then Tomcat parks the request and displays the login form or dialog configured in web.xml. This is all automatic and done outside of the web application itself and the application will never see the incoming request unless the user logged in successfully.

Some things to note is that the login page has no URL - if you have a login form page and attempt to access it yourself, the request will fail because manual requests don't have the Tomcat security subsystem controlling them. In point of fact, my apps don't normally expect a login page. You can bookmark any page in your browser and go straight to the bookmarked page. If you're not logged in and the bookmarked URL is a secured URL, Tomcat will force the login process, otherwise you go straight to the bookmark.

That's a personal preference. I may/usually do have a (non-secured) Welcome page for people who don't have bookmarks, but the direct navigation option is always an option. And, incidentally, if you are running in a Single Sign-On environment, that's a good thing, because with SSO, you might have logged in elsewhere and never log in to Tomcat directly.

Originally, in fact, it was not possible to use the JEE standard security while doing manual logins, but a while back, a login API was added so that people who like to do things like put a mini login form on their web pages could use it.

You, however, are dealing with Spring Security and I am ashamed to confess that I have not bothered to develop an expertise in its details and how it interacts with JEE standard security. It's not like anyone has bothered to pay me to do so, so I let it slide.

But - again - be patient, because I've been working on a Spring Boot app this past month and having almost completely run out of "fun" things to do, I'm about to switch security on. So I'll be coming up to speed on it very soon and should be able to better advise you.

In the mean time, you might be able to add a servlet filter that checks for the existence of an HTTPSession object and if the incoming request doesn't have one, forces an HTTP 302-style redirect to your login. With an https:// URL. Spring can probably (and likely does) do something like that itself, but I think it will allow you to interject your own filter.
 
Tim Holloway
Saloon Keeper
Posts: 24825
172
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Interim update.

Spring itself should not be worrying about http/https (in fact, in some situations either one would be applied depending, for example, on whether it's an external or internal network talking). So the bulk of the URL security workload goes to Apache.

As I mentioned earlier, Apache is commonly configured these days to send ALL incoming HTTP requests to HTTPS, so even if a request responds with an "http://" URL, Apache would reply with an encrypted login page that in turn made an encrypted login request.

This looks like a good page for info on that: https://linuxize.com/post/redirect-http-to-https-in-apache/

This is actually important because historically any manually-entered URL would be HTTP, even if you actually wanted HTTPS. Some browsers have begun to change the default, but it's not safe to assume - let Apache make sure.

I did run across some tricks that claim to re-write outbound URLs from Tomcat to HTTPS, but the ultimate security guard - again - should be on what's inbound, so that's not essential.
 
Enrico Morelli
Ranch Hand
Posts: 39
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thank you. I configured apache to redirect all HTTP connections to HTTPS. The redirection seems to work fine, except for the URL that becomes https://myserver.comlogin

I wrote:



But instead of creating an https://myserver.com/login I receive the https://myserver.comlogin that doesn't exist. How can solve the problem?
 
Tim Holloway
Saloon Keeper
Posts: 24825
172
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I would check the Spring security config. I'm doing JSF in Spring Boot, so what I have will differ, but mine looks like this:

That leading slash is important!
 
Enrico Morelli
Ranch Hand
Posts: 39
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
In the Controller I've




and in the WebSecurityConfig:

 
Tim Holloway
Saloon Keeper
Posts: 24825
172
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'd guess that it's an Apache problem. Check the VirtualHost definition for your HTTPS port and make sure it isn't rewriting incoming URLs in a way that removes the "/" before "login".
 
Enrico Morelli
Ranch Hand
Posts: 39
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I tried to enable the Rewrite as follow:




But seems not working. I'm redirecting again to https://myserver.comlogin
 
You showed up just in time for the waffles! And this tiny ad:
Building a Better World in your Backyard by Paul Wheaton and Shawn Klassen-Koop
https://coderanch.com/wiki/718759/books/Building-World-Backyard-Paul-Wheaton
reply
    Bookmark Topic Watch Topic
  • New Topic