Tuesday, September 05, 2006

Apache httpd proxying to Tomcat (with Acegi redirection)

I ran into some problems when testing a Apache HTTPD server proxying, through AJP protocol, to Tomcat where the main application used Spring and Acegi. Acegi performs an excellent work of redirecting from HTTP to HTTPS (and vice-versa) when a given URL requires secure or insecure channel. However, it was not redirecting properly when Apache was proxying all the requests.

Initially I thought it was a problem with proxying, but after checking the log, I realized that Acegi was not redirecting to the correct places but only to the context root (e.g /context/). After checking its source code (if a simple Google search does not return what we expect, it is the second fastest way), I noticed that my portMapper object was not being used by the redirection classes (such as RetryWithHttpsEntryPoint). That would not be problem if I were not using non-standard ports (standard ones are 80->443 and 8080->8443).

So, in order to fix this problem, you may do the following:

1 - Change your ports to standard ones (even if only for testing purposes).

2 - Instantiate a portMapper object and define http->https ports (try to have 1-1 relationship, avoiding 80->443, 81->443, in order to avoid problems when Acegi redirects https to http).

3 - Inject this portMapper object in objects that perform redirection, such as: RetryWithHttpsEntryPoint, RetryWithHttpEntryPoint and AuthenticationProcessingFilterEntryPoint (I can't remember any other classes at this moment).

This last step may be somewhat tricky, since you must instantiate RetryWithHttpsEntryPoint, for example, inject portMapper in it. And you must inject your instantiated object into SecureChannelProcessor. The same goes for InsecureChannelProcessor and RetryWithHttpEntryPoint.

In my case, it was much simpler to move to standard ports :-) But at least I found out a way of solving it if I couldn't change the ports.
Post a Comment