The OpenShift forums have been retired.
You can still read and search them, but for help, please visit help.openshift.com.

Spring security and HTTPS Redirect

I have two questions regarding the use of HTTPS:

1) Is it possible to force https for my application? I'm running a java/spring web app on jboss on openshift. When I force https (CONFIDENTIAL) in the web.xml, the application redirects to 8443, which is off course not accessible from the outside.

2) I use spring security. By using the requiresChannel="https", you can redirect specific urls to https. Spring security correctly redirects to 443, however it then gets stuck into a loop. This is probably caused by the fact that spring either doesn't recognize that it's running on https (ssl terminated in an apache/loadbalancer?) or it is detecting the wrong port (8443 instead of 443). Is there a solution for this?

Thank you for your interest in OpenShift!

Please review the configurations provided to you in your local git repo's .openshift/config/standalone.xml file. In JBoss AS7, the configurations are moved there under "socket-binding-group". The connector config is directly above that. Note that we bind port 8080 to the internal IP (${env.OPENSHIFT_INTERNAL_IP}) for the public interface. Try updating those configurations rather than in web.xml. It may resolve the other issues you have.

One issue I found in doing this is that we don't allow binding 8443 to the internal IP, so I just used 8080 for now. I'll enter a bug for that.

I'll forward your questions internally as well.

Thanks; ~Nam

Here's a KB resulting from the previous review efforts: https://www.openshift.com/kb/kb-e1044-how-to-redirect-traffic-to-https

Thanks for your reaction and the efforts regarding OpenShift.

I fiddled around with the standalone.xml, but still not have it working. This is my subsystem setup for web:

<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false"> <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http" redirect-port="443"/> <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" enable-lookups="false" secure="true"/>

This is my socket binding setup:

<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}"> <socket-binding name="http" port="8080"/> <socket-binding name="https" port="8443"/>

HTTPS works (out of the box) when I go to https://app..... With the posted setup there is no redirect, just http and https. So I added the following to my web.xml:

<security-constraint> <web-resource-collection> <web-resource-name>Protected Context</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <!-- auth-constraint goes here if you requre authentication --> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>

This now redirects all http requests to the correct url https://app on port 443. However it gets into a redirect loop. I suspect this is because Jboss is not handling the SSL, but another application (apache web server or something) is handling the SSL and it is terminated there. For the web application, all requests are thus http and an infinite redirect happens. Is it possible to change the http to https forwarding in the web server or is there another solution?

Thanks again.

Hi Erwin,

Your redirect-port value should point to the https port that's been configured for your configuration. So in your configuration above, you have configured the https socket binding to 8443:

<socket-binding name="https" port="8443"/>

So, assuming you are not using any port offset for starting the server, your redirect-port for the HTTP connector should also point to 8443:

<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http" redirect-port="8443"/>

Of course the configurations that you made in your web.xml should stay since that's what tells the web container that your resources in the application are to be served via HTTPS.

Do let us know if you still have problems with this.

I changed the redirect port to 8443. The application now redirects to https://socialsearch-edg.rhcloud.com:8443/. Since 8443 is not accessible from the outside, this is also not a solution. Also, I cannot bind jboss https to 443, since this is not allowed. Any other solutions, or should I write my own redirect filter?

Alright, I found a workaround to get the spring security redirect to work. In the Jboss connector put the redirect-port on 443. Then, you need your own implementation of org.springframework.security.web.access.channel.SecureChannelProcessor.

I changed the the decide method of this class. The original implementation used request.isSecure(). I changed this to check the header "x-forwarded-proto" which contains "https" if the request url is a https url. I have to see how this behaves when you manually set the header to https and do a request to a http url, to see if this method is secure enough.

I would have liked a solution by configuration, but al least this works and I have full control over which url's to redirect to https.

Hi Erwin, Good catch with http header "x-forwarded-proto".

I tried that in Servlet Filter for forcing https and it works pretty well.

Thanks, Libor

Is any solution out of the box?

There is not out of the box solution for this issue however a customer wrapper can be written to solve this issue when the x-forwarded-proto is used, https://access.redhat.com/site/solutions/497323 and https://community.jboss.org/thread/197334?start=0&tstart=0 are as close to out of the box as you can get.