mod_rewrite not working to secure grails application

Question

I have a grails application running on tomcat and I'm using mod_proxy to connect http server with it. My goal is to secure the login process.

My VirtualHost configuration to force https is:

ProxyPass /myapp/ http://127.0.0.1:8080/myapp
ProxyPassReverse /myapp/ http://127.0.0.1:8080/myapp

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(myapp/login) https://%{HTTP_HOST}:443/$1 [NC,R=301,L]

When I go to https://mydomain.com/myapp/adm - which requires authentication - it redirects to http://mydomain.com/myapp/login/auth;jsessionid=yyyyyy, with no security so the rewrite is not working (if I manually replace http with https, it works fine).

Any hints?

No, it doesn't. I don't need the whole app to be accessed via https (I assume that's the consecuence right?) — xain, Jan 26 '13 at 00:23
Try the solution in this answer: http://stackoverflow.com/a/13152698/166062 — Lari Hotari, Jan 31 '13 at 18:26
Both http and https connectors work fine separately, my problem is when redirecting from http to https — xain, Mar 02 '13 at 12:55

score 1 · Answer 1 · edited May 23 '17 at 12:12

When I go to https://mydomain.com/myapp/adm - which requires authentication - it redirects to http://mydomain.com/myapp/login/auth;jsessionid=yyyyyy,

Looks like Spring security perform redirects to /login/auth. Burt Beckwith mention here that spring security does not need grails.serverURL. It should use request.getServerName() Basically grails.serverURL has been used for createLink methods

I would suggest:

try to use https in grails.serverURL for production environment
set app context (if item 1) didn't help):

grails.app.context="/myapp"

Update

Just for isolate and better understand where the problem is:

Could you please run grails (on development environment) with https and check if everything works fine:

grails run-app -https

score 1 · Answer 2 · answered Jan 31 '13 at 09:57

You made a typo, you wanted this:

RewriteRule ^/myapp/login https://%{HTTP_HOST}%{REQUEST_URI} [NC,R=301,L]

Your current RewriteRule can't ever match

I also doubt there's a point in having this

RewriteCond %{THE_REQUEST} ^[A-Z]+\s/myapp/login [NC]

This only duplicates the ^/myapp/login you wanted in the RewriteRule. So while it works it serves no purpose.

score 1 · Answer 3 · answered Jan 31 '13 at 18:27

In a setup where you allow both http and https, add a separate Connector element to tomcat's conf/server.xml file:

<Connector port="8081" protocol="HTTP/1.1" 
           connectionTimeout="20000" 
           redirectPort="8443"  URIEncoding="UTF-8"
           scheme="https" secure="true" proxyName="somehostname.domain" proxyPort="443" />

If only https is allowed, you can add the scheme, secure, proxyName and proxyPort attributes to the existing Connector element.

In apache config, make the *:443 virtual host proxy to the Connector with the extra attributes. The plain http *:80 can connect to the original Connector.

For more information: http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#Proxy_Support http://tomcat.apache.org/tomcat-7.0-doc/proxy-howto.html

But both http and https work fine separately, my problem is when redirecting from http to https — xain, Mar 02 '13 at 12:05
I now noticed that Tomcat 7 has a "Remote IP Valve" http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Remote_IP_Valve and "Remote IP Filter" http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#Remote_IP_Filter as an alternative solution to adding these properties to the Connector element. — Lari Hotari, Mar 27 '13 at 11:57

mod_rewrite not working to secure grails application

3 Answers3