You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Brian Burt <bb...@gfs.com> on 2005/05/11 18:31:52 UTC
Form Authentication with SSL behind Load Balancer
I'm running into a problem using form-based authentication with Tomcat 5.5.9 behind a Cisco CSS load balancer, and I'm hoping someone can point me in the right direction.
We've got Tomcat deployed on 2 nodes, not clustered, but load-balanced via NAT distribution by the Cisco device. We want the site traffic to be secured with SSL, but the SSL is actually terminated in the load balancer for efficiency and to offload the encryption/decryption burden from Tomcat.
We also planned to use J2EE container-managed authentication using the form-based option. This is where we're having problems.
When we reference secure content within the target web app with an HTTPS address, Tomcat serves back the configured Login page just fine. When we submit the Login form, however, and authentication succeeds, we are redirected to the original resource over HTTP instead of HTTPS.
Since the SSL terminates in the load balancer, the Cisco device actually routes the request to Tomcat on the standard HTTP port (8080). It appears that, after successful authentication by the container via the Login form, Tomcat redirects the user to the original resource URL with the HTTP protocol instead of HTTPS, because Tomcat doesn't know about the HTTPS address intercepted by Cisco. To Tomcat, the requests all come in looking like plain old HTTP.
Just for grins, I tried setting transport-guarantee = CONFIDENTIAL in my web.xml. It didn't work, just created a Catch-22 where Tomcat tries to redirect to HTTPS but Cisco intercedes and forwards the request to Tomcat as HTTP. I spoke with our Network engineers, and they don't believe they can do anything about this on the Cisco side. They believe it's a web server / Tomcat issue.
Once I'm into the app, I can type the "s" after "http" in the browser's location bar to "switch back" to SSL. Clicking links with relative URLs in the pages appears to stick with the HTTPS protocol after that. It's only the initial container-managed login and redirection to the original requested resource that seems to cause the protocol switch.
Any advice is greatly appreciated. Thanks!
Brian Burt
Enterprise Application Engineer
Gordon Food Service
e-mail: bburt@gfs.com
office phone: 616-717-6972
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Form Authentication with SSL behind Load Balancer
Posted by Hari Mailvaganam <ha...@gmail.com>.
A couple of suggestions:
- force all traffic on load balancer to/from extrenal world to SSL.
- after form authentication on Tomcat, redirect users to the URL used
by the load balancer - i.e. not XXX:8080/authenticate but
www.YYY.com/authenticate
- or both
Hope this helps.
regards,
Hari Mailvaganam
On 5/11/05, Brian Burt <bb...@gfs.com> wrote:
> I'm running into a problem using form-based authentication with Tomcat 5.5.9 behind a Cisco CSS load balancer, and I'm hoping someone can point me in the right direction.
>
> We've got Tomcat deployed on 2 nodes, not clustered, but load-balanced via NAT distribution by the Cisco device. We want the site traffic to be secured with SSL, but the SSL is actually terminated in the load balancer for efficiency and to offload the encryption/decryption burden from Tomcat.
>
> We also planned to use J2EE container-managed authentication using the form-based option. This is where we're having problems.
>
> When we reference secure content within the target web app with an HTTPS address, Tomcat serves back the configured Login page just fine. When we submit the Login form, however, and authentication succeeds, we are redirected to the original resource over HTTP instead of HTTPS.
>
> Since the SSL terminates in the load balancer, the Cisco device actually routes the request to Tomcat on the standard HTTP port (8080). It appears that, after successful authentication by the container via the Login form, Tomcat redirects the user to the original resource URL with the HTTP protocol instead of HTTPS, because Tomcat doesn't know about the HTTPS address intercepted by Cisco. To Tomcat, the requests all come in looking like plain old HTTP.
>
> Just for grins, I tried setting transport-guarantee = CONFIDENTIAL in my web.xml. It didn't work, just created a Catch-22 where Tomcat tries to redirect to HTTPS but Cisco intercedes and forwards the request to Tomcat as HTTP. I spoke with our Network engineers, and they don't believe they can do anything about this on the Cisco side. They believe it's a web server / Tomcat issue.
>
> Once I'm into the app, I can type the "s" after "http" in the browser's location bar to "switch back" to SSL. Clicking links with relative URLs in the pages appears to stick with the HTTPS protocol after that. It's only the initial container-managed login and redirection to the original requested resource that seems to cause the protocol switch.
>
> Any advice is greatly appreciated. Thanks!
>
> Brian Burt
> Enterprise Application Engineer
> Gordon Food Service
> e-mail: bburt@gfs.com
> office phone: 616-717-6972
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org