How to Reproduce sendRedirect issue - HTTPS change to HTTP

Question

I am using response.sendRedirect() to redirect the user to Home page, once the user gets authenticated successfully. This is to avoid the "Login redirect vulnerability".

However, because of above change, One of my customer is facing issue where his HTTPS request are getting converted to HTTP (with ip address in the URL). The reason for the same is explained here

http://geekexplains.blogspot.in/2008/06/https-becoming-http-in-case-of.html

Now, How can i reproduce the issue (or setup the environment) so that I can verify my fix. I thought I could reproduce by setting up Apache server infront of tomcat but I am not able to reproduce above mentioned issue.

In Apache httpd.conf i have below entries

ProxyPass /myconsole ajp://localhost:8009/myconsole
ProxyPassReverse /myconsole ajp://localhost:8009/myconsole

Accessed the application like,

http://myapacheserver/myconsole/Login.jsp

After the successful login, I am getting redirected to

http://myapacheserver/myconsole/Home.jsp

I am expecting to redirect to the IP address. something like http://10.32.24.14:8080/myconsole/Home.jsp.

In the customer environment he is getting redirected to the ip address of App server (tomcat).

Any pointer would be helpful.

Thanks

Note: For those interested, I am building the full URL by getting the first part of URI from the configuration file.

//Get the LB URI part. Eg: https://dev.loadbalancer.com/
String loadBalancerURI = getConfig().getLoadBalancerRequestURI();
String redirectURL = request.getContextPath() + "/Home.jsp";

//Prepend the LoadBalancer URI with redirect URI
if(loadBalancerURI != null)
{
    redirectURL = loadBalancerURI + "/" + redirectURL;  
}

//redirect to home page
response.sendRedirect(redirectURL);

return;

Edit: More info on the setup. The customer has F5 load balancer where the SSL traffic stops and then there is a Apache Reverse Proxy servers which proxy to pool of tomcat servers. The issue is when we do redirect the redirect URL is for Tomcat Servers. What we are expecting is to have the load balancer URL in the redirect URL.

Is it possible to do some change in the Apache server which will rewrite the URL in the HTTP header in the response send by Tomcat?

Answer 1

I was able to reproduce the issue (when HTTP-HTTPS redirect) which my customer was facing.

The communication from Apache (HTTPD server) to Tomcat (Web container) generally happens by using one of the following connectors (may be some other way as well).

• mod_jk
• mod_proxy_ajp
• mod_proxy_http
• mod_rewrite

I am able to reproduce the issue only when i use the mod_rewrite. If i use either mod_jk or mod_proxy_ajp or mod_proxy_http approach then the redirect works fine. But when i use mod_rewrite then when the redirect happens I am able to observe the HTTPS-HTTP conversion.

Answer 2

I'm not sure if you're really using a load balancer or if you just called one of your methods getLoadBalancerRequestURI, but where you only have one server, just use :

response.sendRedirect("./Home.jsp");

Its not necessary to specify the full url.

But if you do need to build the full url as you are doing, you can use something like this to check if its https://

String protocol = "https";
if( request.getRequestURL().toString().toLowerCase().startsWith("http://" ) )
{
    protocol = "http";
}

Then make sure to build the url with the proper protocol.

Answer 3

See this link ..

So when an https request redirect happens, the target server has no clue what's the original request's protocol. It only receives an http request. Thus, the response for that would be an http response.

http://www.hoitikwong.com/2013/03/the-mystery-case-of-https-becoming-http.html