Force Grails/Weblogic To Only Redirect Using HTTPS protocol

Question

I'm using Grails (2.2.2) on a project and my application issues undesirable http redirects instead of https redirects.

We currently have an F5 load balancer in front of Oracle Weblogic. The F5 is offloading our SSL from Weblogic. The F5 only accepts https requests and Weblogic only accepts http requests.

My Grails project uses the Spring Security and Spring Security CAS plugin.

The problem typically occurs on a successful CAS login. Grails seems to always issue an HTTP redirect.

My serverURL specifies HTTPS as do all my CAS configuration variables. like

grails.serverURL = "https://example.com/${appName}"

Is there any way to force GRAILS/Weblogic to only issue https redirects?

EDIT #1 - Further Info

I've tried doing this with no luck:

grails.plugin.springsecurity.secureChannel.useHeaderCheckChannelSecurity = true
grails.plugin.springsecurity.secureChannel.definition = [
    '/**': 'REQUIRES_SECURE_CHANNEL'
 ]
grails.plugin.springsecurity.portMapper.httpPort = 80
grails.plugin.springsecurity.portMapper.httpsPort = 443
grails.plugin.springsecurity.secureChannel.secureHeaderName = 'WL-Proxy-SSL'
grails.plugin.springsecurity.secureChannel.secureHeaderValue = 'http'
grails.plugin.springsecurity.secureChannel.insecureHeaderName = 'WL-Proxy-SSL'
grails.plugin.springsecurity.secureChannel.insecureHeaderValue = 'https'

Also, the behavior seems like it may be related to Spring Security/Spring CAS plugin not respecting protocol

The redirect that happens after j_spring_security_check seems to always return an http redirect instead of an https redirect. This creates a problem as we do not allow http requests on the F5 server. I.E.

https://www.example.com/grailsapp/
-> 
https://www.casserver.com/cas/login?service=https%3A%2F%2Fwww.example.com%2Fgrailsapp%2Fj_spring_cas_security_check
-> https://www.example.com/grailsapp/j_spring_cas_security_check;jsessionid=f6T8RyDZ83Z2QQQlMQ7fGXvlrs05m9hTjlBkndD6stBh1s20v2ZH!-1677111548?ticket=ST-231-4Dl5PVDe4RRLpAW5CEXb-www.casserver.com
->
http://www.example.com/grailsapp/

Config for CAS plugin:

production {
    grails.plugins.springsecurity.cas.loginUri = '/login'
    grails.plugins.springsecurity.cas.serviceUrl = 'https://example.com/grailsapp/j_spring_cas_security_check'
    grails.plugins.springsecurity.cas.serverUrlPrefix = 'https://casserver.com/cas'
    grails.plugins.springsecurity.logout.afterLogoutUrl = 'https://casserver.com/cas/logout?url=https://example.com/grailsapp/'
}

Answer 1

I was able to come up with a solution through an F5 redirect rewrite rule. Unfortunately, it is not as ideal as coming up with a Grails solution but it works for my environment.

when HTTP_RESPONSE { 
  if { [HTTP::is_redirect] }{ 
        HTTP::header replace Location [string map {"http://example.com/grailsapp/" "https://example.com/grailsapp/"} [HTTP::header Location]] 
    } 
}

Answer 2

I would recommend you look at your channel security settings for Spring Security. Pay attention to the section regarding F5s and SSL in the documentation.

I suspect you are missing the following from your configuration:

grails.plugin.springsecurity.secureChannel.useHeaderCheckChannelSecurity = true

I also suspect you aren't forcing your application to always run under SSL by setting:

grails.plugin.springsecurity.secureChannel.definition = [
   '/**': 'REQUIRES_SECURE_CHANNEL'
]

Answer 3

You might want to consider http://grails.org/plugin/force-ssl

Otherwise we recommend using Apache / Nginx to do the redirect