I have a grails application that is using spring security plugin. The application is hosted in Tomcat with a facing HTTPD. I am forcing HTTPS using the following settings:
server.xml in Tomcat
<Valve
className="org.apache.catalina.valves.RemoteIpValve"
internalProxies=".*"
protocolHeader="X-Forwarded-Proto"
httpsServerPort="443"
/>
httpd.conf (To force HTTPS)
<Location /myapp>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://my.server.com/myapp [R,L]
</Location>
ssl.conf
<Location /myapp>
ProxyPass http://localhost:9090/myapp
ProxyPassReverse http://localhost:9090/myapp
RequestHeader unset X-Forwarded-Proto
RequestHeader add X-Forwarded-Proto "https"
</Location>
Spring security settings
grails.plugin.springsecurity.secureChannel.definition = [ '/**': 'REQUIRES_SECURE_CHANNEL' ]
grails.plugin.springsecurity.secureChannel.useHeaderCheckChannelSecurity = true
grails.plugin.springsecurity.auth.forceHttps = true
grails.plugin.springsecurity.portMapper.httpPort = 80
grails.plugin.springsecurity.portMapper.httpsPort = 443
grails.plugin.springsecurity.secureChannel.secureHeaderName = 'X-FORWARDED-PROTO'
grails.plugin.springsecurity.secureChannel.secureHeaderValue = 'http'
grails.plugin.springsecurity.secureChannel.insecureHeaderName = 'X-FORWARDED-PROTO'
grails.plugin.springsecurity.secureChannel.insecureHeaderValue = 'https'
Problem
I am able to access the site by http://my.server.com/myapp (get redirected to HTTPS). However, problem is when I try to login -- Upon submitting the username/password and clicking submit, I am being redirected to: https://localhost/myapp/login/authfail?login_error=1 (Notice the host name has changed from my.server.com to localhost) . This happens on successful or unsuccessful logins.
Same problem happens on logout as well. Clicking on https://my.server.com/myapp/logout goes to https://localhost/myapp/logout
Below is the screenshot of tracking the network calls
