How do I enforce Https Connection in Ibm Bluemix using Tomcat Server with Default java Build Pack?

Question

I have a Spring Mvc Application using hibernate hosted on ibm bluemix with domain registered in go daddy using tomcat server using the java_buildpack provided by blue mix for tomcat.Currently I have bought a ssl certificate in go daddy registered in blue mix.My application now works both on http and https.But now i have a requirement to enforce only https connection to my application .I implemented Spring Security .I have used Security config to enforce https and used below code for https redirection .

requiresChannel().anyRequest().requiresSecure()

but it gives me the following error in browser

Too many redirects occurred trying to open “https://website-name”. This might occur if you open a page that is redirected to open another page which then is redirected to open the original page.

Now I have followed few links over network inorder to enforce https where they told me to add few parameters I added these parameters in blue mix runtime environmental variables of my application.

server.tomcat.internal-proxies:.*

I also tried adding

server.tomcat.remote_ip_header:x-forwarded-for

server.tomcat.protocol_header:x-forwarded-proto

the flow of application is first go daddy lookup then it goes to the blue mix application how can i have only https enabled

But Still I get The Same error. Guys can you help me solve this problem.

I added the custom filter

@Component
public class CustomFilter implements Filter {
    private static final Logger logger = Logger.getLogger(CartController.class);

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
        // TODO Auto-generated method stub

    }

    @Override
    public void doFilter(ServletRequest request1, ServletResponse response1, FilterChain chain)
            throws IOException, ServletException {

        HttpServletRequest request = (HttpServletRequest) request1;
        HttpServletResponse response = (HttpServletResponse) response1;
        if (!request.isSecure()) {
            logger.info("Not secure");
            // generate full URL to https
            StringBuilder newUrl = new StringBuilder("https://");
            newUrl.append(request.getServerName());
            if (request.getRequestURI() != null) {
                newUrl.append(request.getRequestURI());
            }
            if (request.getQueryString() != null) {
                newUrl.append("?").append(request.getQueryString());
            }

            response.sendRedirect(newUrl.toString());
        } else {
            // already a secure connection, no redirect to https required.
            logger.info("Else");
            if (chain != null) {
                logger.info("Chain Null");
                chain.doFilter(request, response);
            }
        }

    }


}

Answer 1

I would advise two options: 1. In the past I have manually implemented a filter that if a non-http request is received to redirect to https. I have not used spring security in the manner you're attempting. 2. Post a question to Rob Winch, spring security lead, on the spring forms and cross link to this question so that people on the Bluemix platform can see his response.

My initial thought is that the manual filter is the way to go but would really like to know if Rob and team have encountered this on the CF platform.