You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by AndyW <an...@gmail.com> on 2013/09/02 00:00:58 UTC
SSL Login - https redirects to http
Hello,
I'm trying to make my web app use ssl, but I'm having a strange problem with
the login.jsp page. When I load https://www.myexample.com as a non-loggedin
user, the browser redirects to http://www.myexample.com/login.jsp (instead
of https).
I'm using Shiro with Guice, Jersey and Jetty, deployed to Heroku.
I've tried changing the login.jsp filter chain in my ShiroWebModule, e.g.:
addFilterChain("/login.jsp", SSL, AUTHC);
Although this forces a redirect to the https login.jsp, the browser then
displays an error page showing an ERR_TOO_MANY_REDIRECTS error.
Any help getting to the bottom of this would be much appreciated!
Thanks,
Andy
--
View this message in context: http://shiro-user.582556.n2.nabble.com/SSL-Login-https-redirects-to-http-tp7579103.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: SSL Login - https redirects to http
Posted by Jared Bunting <ja...@peachjean.com>.
The apache SSL proxy will handle rewriting that location header. As will
F5 setups that I've used.
I haven't used heroku's SSL but I would expect it to do something similar.
On Sep 17, 2013 6:09 PM, "AndyW" <an...@gmail.com> wrote:
> I believe the problem to be caused by the way application https is handled
> by
> Heroku: the https endpoint is in the Heroku stack, but the communication
> between the endpoint and applications running in Heroku uses vanilla http.
>
> This means that when Shiro assembles the Location header in order to
> redirect the browser to the login page (and, after login, to the requested
> page), it uses the http scheme of the request reaching the application,
> instead of the https scheme as requested by the user (see
> ShiroHttpServletResponse.toAbsolute(String location)).
>
> So, when I request https://myexample.com, the response that Shiro sends
> back
> has a Location header of http://myexample.com/login.jsp.
>
> Is this a case that Shiro is able to handle? If so, I'd really appreciate a
> pointer.
>
> Thanks,
> Andy
>
>
>
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/SSL-Login-https-redirects-to-http-tp7579103p7579149.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
Re: SSL Login - https redirects to http
Posted by AndyW <an...@gmail.com>.
I believe the problem to be caused by the way application https is handled by
Heroku: the https endpoint is in the Heroku stack, but the communication
between the endpoint and applications running in Heroku uses vanilla http.
This means that when Shiro assembles the Location header in order to
redirect the browser to the login page (and, after login, to the requested
page), it uses the http scheme of the request reaching the application,
instead of the https scheme as requested by the user (see
ShiroHttpServletResponse.toAbsolute(String location)).
So, when I request https://myexample.com, the response that Shiro sends back
has a Location header of http://myexample.com/login.jsp.
Is this a case that Shiro is able to handle? If so, I'd really appreciate a
pointer.
Thanks,
Andy
--
View this message in context: http://shiro-user.582556.n2.nabble.com/SSL-Login-https-redirects-to-http-tp7579103p7579149.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: SSL Login - https redirects to http
Posted by AndyW <an...@gmail.com>.
Hi Lez,
Thanks for the reply, it's very much appreciated.
Still no luck, unfortunately. Perhaps I could take you through my attempts
to fix this?
Step 1: My starting point is my non-ssl configuration, in my ShiroWebModule
configureShiroWeb() method. This works perfectly, and I love how simple
Shiro is to use here:
protected void configureShiroWeb() {
bindConstant().annotatedWith(Names.named("shiro.globalSessionTimeout")).to(30000L);
bindRealm().to(MyAuthorizingRealm.class).asEagerSingleton();
addFilterChain("/favicon.ico", ANON);
addFilterChain("/css/*", ANON);
addFilterChain("/api/user*", ANON);
addFilterChain("/signup.html", ANON);
addFilterChain("/login.jsp", AUTHC);
addFilterChain("/**", AUTHC);
}
I hope all that's self-explanatory. This works as expected - when I go to
any page at http://www.myexample.com as an unauthorised user, I'm redirected
to /login.jsp. Then when I log in, I'm taken to the page I originally
requested.
Step 2: I added SSL to www.myexample.com, using a self-signed certificate.
The app is deployed to Heroku, and is set up with their SSL add-on. Now,
going to httpS://www.myexample.com/any-page redirects to
http://www.myexample.com/login.jsp, instead of httpS. I can then change the
browser url to load httpS://www.myexample.com/login.jsp, but when I log in
I'm redirected to the non-ssl http://www.myexample.com/any-page. (I can then
change to https and navigate the app as expected, and signed in correctly.)
Step 3: I attempted to force Shiro to use https, by adding it to the
login.jsp chain:
protected void configureShiroWeb() {
bindConstant().annotatedWith(Names.named("shiro.globalSessionTimeout")).to(30000L);
bindRealm().to(MyAuthorizingRealm.class).asEagerSingleton();
addFilterChain("/favicon.ico", ANON);
addFilterChain("/css/*", ANON);
addFilterChain("/api/user*", ANON);
addFilterChain("/signup.html", ANON);
addFilterChain("/login.jsp", SSL, AUTHC);
addFilterChain("/**", AUTHC);
}
This attempt gives an ERR_TOO_MANY_REDIRECTS error when I try to load any
page.
Step 4: Going from my interpretation of your comments in your reply, I tried
explicitly naming the AuthC login url:
protected void configureShiroWeb() {
bindConstant().annotatedWith(Names.named("shiro.globalSessionTimeout")).to(30000L);
bindConstant().annotatedWith(Names.named("shiro.authc.loginUrl")).to("/login.jsp");
bindRealm().to(MyAuthorizingRealm.class).asEagerSingleton();
addFilterChain("/favicon.ico", ANON);
addFilterChain("/css/*", ANON);
addFilterChain("/api/user*", ANON);
addFilterChain("/signup.html", ANON);
addFilterChain("/login.jsp", SSL, AUTHC);
addFilterChain("/**", AUTHC);
}
This attempt made no difference.
I'm starting to suspect that the issue may lie with Heroku, in that the
https connection is handled by the Cedar stack before being routed to my
app, and therefore I shouldn't be explicitly handling ssl inside the app. In
that case, I'm back to Step 2, and needing my login.jsp to play nicely with
it's environment.
Thanks for reading this far - if you have any thoughts or suggestions - or
explanations of where I'm going so cripplingly wrong! - I'd love to hear
them.
Thanks,
Andy
--
View this message in context: http://shiro-user.582556.n2.nabble.com/SSL-Login-https-redirects-to-http-tp7579103p7579140.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: SSL Login - https redirects to http
Posted by Les Hazlewood <lh...@apache.org>.
Hi Andy,
I *think* this might be due to the way your filters are declared?
The AUTHC filter needs to be told what the login url is ("/login.jsp") so
it knows to let requests to that URL pass through (otherwise the page won't
be rendered!).
If you do that first and then define the filter chain, I think that will
solve it.
HTH,
--
Les Hazlewood | @lhazlewood
CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
On Sun, Sep 1, 2013 at 3:00 PM, AndyW <an...@gmail.com> wrote:
> Hello,
>
> I'm trying to make my web app use ssl, but I'm having a strange problem
> with
> the login.jsp page. When I load https://www.myexample.com as a
> non-loggedin
> user, the browser redirects to http://www.myexample.com/login.jsp (instead
> of https).
>
> I'm using Shiro with Guice, Jersey and Jetty, deployed to Heroku.
>
> I've tried changing the login.jsp filter chain in my ShiroWebModule, e.g.:
>
> addFilterChain("/login.jsp", SSL, AUTHC);
>
> Although this forces a redirect to the https login.jsp, the browser then
> displays an error page showing an ERR_TOO_MANY_REDIRECTS error.
>
> Any help getting to the bottom of this would be much appreciated!
>
> Thanks,
> Andy
>
>
>
>
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/SSL-Login-https-redirects-to-http-tp7579103.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>