HTTP POST converting to HTTPS GET on redirect by proxy server

Question

I have a weblogic cluster domain which has following configuration: 2 managed servers, 1 admin server, and a proxy server.My webapp is deployed in 2 managed servers.

The SSL ports on both managed servers are enabled and I have added User data constraint as confidential in web.xml, so that SSL ports are always used for communication with mywebapp.

<user-data-constraint>
   <transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>

Now here is the issue:

The HTTP POST request form internet explorer client to the HTTP port of proxy server gets converted into a HTTPS GET when the proxy server redirects the request to SSL port of one of the managed server. Hence, the internet explorer client never receives the response of HTTP POST.

My goal here is to enforce HTTPS even if client uses HTTP. Is there any problem with this configuration? I want to somehow prevent internet explorer from converting HTTP POST to HTTP GET on receiving a "302 Found"

Answer 1

If the client gets an HTTP 303 See Also code, it will unconditionally submit a GET request. If the client gets an HTTP 302 Found, it should submit the same type of request (POST) on the redirected URL, with user confirmation. This may not work properly on older browsers which tend to treat 302 Found as if it were 303 See Also.

Anyway, having a form on a non-secure page submit data on a secure page is a bad idea.

The form page may be corrupted and spied in any way you can imagine, and the user cannot be sure that the data he submits is the data he sees.

Example: Your form has a "MainData" field. An intermediate phishing site can write a JavaScript to spy entered data, put a hidden "MainData" field containing whatever it wishes and show a dummy "FakeIgnoreData" field to the user.

Solution: Put form page and submission page on the same HTTPS server.