How to configure HTTPS redirection on Glassfish with Apache2

Question

My scenario looks us follows: 1. server - has a lot of domains 2. domain - application written in Spring MVC 3. apache2 - on server

In application user uses http when anonymous, when he is try to log in application requires HTTPS. I did it by spring security like this:

<http auto-config="true">  
    <intercept-url pattern="/user/add*" access="ROLE_ANONYMOUS" requires-channel="https"/>  
    <intercept-url pattern="/**" access="ROLE_USER, ROLE_ANONYMOUS"/> 
    <form-login login-page="/user/add" authentication-failure-url="/user/logFailed"></form-login>
    <port-mappings>
        <port-mapping http="8080" https="8181"/>
    </port-mappings>
</http> 

On local computer works fine, redirecting on https when clicks /user/add (login page). On server I use Proxy passes on apache2 us follows:

<VirtualHost *:80>
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/

Http works good, and every HTTP request on my domain is redirected and Glassfish gets it.

Problem is with Https. My proxy pass:

<IfModule mod_ssl.c>
<VirtualHost *domain*:8181>
    ServerAdmin webmaster@localhost
    ServerName *server*
    ServerAlias www.*domain*
    DocumentRoot /var/www/*domain*/
    <Directory /var/www/*domain*/>
            Options -Indexes
    </Directory>

    ProxyPass / https://127.0.0.1:8181/
    ProxyPassReverse / https://127.0.0.1:8181/

I tried a lot of different configurations but I don't know where is problem. Requests are redirected to https but on address 127.0.0.1, which is of course localhost. When I changed ProxyPass to domain name it worked the same.

Where I have to reconfigure?

Also is it possible to get Glassfish working on 443 port, not 8181???

Answer 1

I'm guessing your local configuration does not include the apache in front and you're letting Glassfish deal with the SSL? This is why it works locally without a problem.

Apache configurations are not my strong area, but let me give it a stab: if you are now trying to access port 8181 directly on the server, you do not even need to use the proxy pass config since your GF is already running there. This is why you are redirected to 127.0.0.1 (since the config makes no sense, it is doing the proxy pass on the same port). You could also be missing your domain in the servers hosts-file.

What you want to do instead is use virtual host only on 80 and do the proxy pass to 8080 (define the ServerAdmin etc as in the 8181 virtualhost) and let Glassfish and Spring deal with the redirection on non-anonymous authentication.

Yet another option would be to move the SSL to Apache on :443 virtual host that proxies to 8181 and modify your Spring Security config accordingly (port map https to 443).

As to the question of running GF directly on :443, are you running on Windows or UNIX-like? On Windows Glassfish can be bound directly to port 443 by modifying your https-listener via the admin control panel: Configurations -> server-config -> HTTP Service -> modify the port value on the http-listener that has Security enabled. Also you can modify http-listener element' port value directly in domain.xml

On UNIX-like it is a bit more problematic since applications are not allowed to bind on ports below 1024. In this case you can configure iptables redirection in front and redirect all traffic from 443 to 8181 (or any port above 1024 that Glassfish is running).

I think you need to stop for a second and weigh the options, whether or not to use apache in front or just let Glassfish do all http(s)-handling directly with the iptables config. This thread has details that will help you make the call.

I hope this is helpful, your question is quite wide scoped, if you can lock down the decision of whether or not to use apache and where to do SSL it will be easier to give more specific advice. Your Spring security config at this time seems simple and correct, just need to figure out the stuff above.