Using struts2 redirect-action over https - https

I have a problem with struts2 and redirect-action over https.
Basically the redirect response I get back from my https request has a non-secure location (i.e. http://...).
So that means the browser goes from a secure session to a non-secure session.
Any idea what could cause this?
Cheers,
Stuart.

The problem was not in Struts 2 although the solution posted by Umesh would also have worked.
The environment I was working in had the SSL connections terminated by a load balancer before it reached the Apache front end. This meant the AJP request to Tomcat appeared to be HTTP and the redirect URL in the response from the Struts redirect-action was written as HTTP.
The solution I chose was to write a separate connector in tomcat's server.xml for the HTTPS connections, specifying:
secure="true"
scheme="https"
proxyPort="443"

Struts 2 itself does not support SSL switching by default
If you are switching from HTTPS mode to HTTP and vice-versa my best bet is to use Struts2-ssl plugin.
This plugin will take care of the switching based on the method annotation or the configuration you have provides.
here are the details
Struts2-SSL plugin

Related

How can you deploy a spring boot application with HTTPs without making any changes to the application?

I have a spring boot application which works over http.I do not want to touch the application - so no keystore etc. I want to use reverse proxy - i.e. the request will land at some other machine over TLS and
will get redirected to my spring boot application over secure socket layer. How it could be done?
Edit: When I try to login to that site, developer tool console tells me:
"Mixed Content: The page at 'https://xxxx-uat.xxxx.com:4200/login' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://151.253.73.106:9091/login'. This request has been blocked; the content must be served over HTTPS."
Nginx reverse proxy is being used.
Best way to do it is to use cloudflare. Cloudflare is free for basic use. You can create a new site, point to your HTTP URL and configure SSL as flexible. So, now your service is behind https. Cloudflare will act as proxy. Request will go to cloudflare via https, then it will be routed to your http.

Redirect 302 loop when force routing HTTP traffic to HTTPS via Spring

I'm trying to redirect all traffic hitting HTTP to HTTPS on my application. Nginx is handling generating keys and certificate signing requests.
HTTPS works perfectly when we type it in manually in the browser's address bar. So to force all HTTP requests to use HTTPS we are changing Spring configuration in various ways.
When adding the requires-channel="https" attribute to <intercept-url/> in our .xml we are getting a 302 redirect loop. We tried declaring the port mappings in a Spring config .xml as suggested in this SO answer but it made no difference to the redirect loop. HTTPS is looping on itself by looking at the network tab in chrome dev tools.
Any help/ideas are appreciated, thanks.

OPTIONS-request with Authentication header (IBM WAS Liberty profile)

I want to call REST-services from my Angular-app. However, these REST-services are hosted on WLP and are part of a WAR-file developed by some company a while ago, ie. we have no source code.
I can call GET-methods without any issues from Postman, I just need to set authentication and accept headers. However, calling these GET-methods from Angular via web browsers will trigger preflight request (OPTIONS) without Authentication header prop. Seems to me that OPTIONS requests are triggered by the browsers and Angular cannot set headers for them. I confirmed OPTIONS requests need authentication by running requests via Postman with and without auth header prop.
Similar problems were discussed in other posts on stackoverflow but in such cases people had control over their server side code and could alter it to avoid authentication headers for OPTIONS request. Clearly in my case, I cannot do it.
My question is if there is a possibility to configure WLP to not ask for authentication header prop in case of OPTIONS-requests (seems to be configurable for Apache web servers and Tomcat)?
Kind regards
A.H.
Even without source, you should be able to edit web.xml and modify the security-constraints to punch a hole for OPTIONS.

Can nginx be configured to allow a path like /api to pass through, and add a header to the request

I am using NGINX as my web server for html/js/css files and my web app UI. It is a single page app that uses AJAX requests to a back end JEtty server. Previously I deployed everything in Jetty and ajax calls worked fine. In separating the back end from the web UI tier, I am now trying to figure out how to configure NGINX to allow AJAX requests to pass through to Jetty. But, I ALSO want to prevent someone from watching network traffic and seeing the ajax calls my app makes, then scripting those themselves. To do this, I believe if I can configure nginx to ADD a custom header to the requests as they pass through (is this even possible?) I could then only accept requests with those headers at my Jetty API level.
If that is possible, is it the right way to handle this so that outsiders can't get in to my back end API? Is there a way they could figure out that my nginx server is adding a header short of breaking in to my server and figuring out the configuration?
If your application calls your api via Ajax on the client there's nothing you can do to stop someone from calling it directly (assuming they otherwise have access to the page). At the end of the day, an Ajax request is just a request made from the client in JS. Now, there are lots of stupid ways to make it more difficult, but, if anyone really wants to call your api directly, they can.
If you're just talking about only allowing access through nginx (or specifically your /api location block), just bind jetty to localhost only.

How do you enable https and http->https redirects in ring / compojure

I am developing a RESTful app, for which I need to redirect requests coming in from an http address to it's https equivalent. I cannot seem to be able to enable https using ring/compojure.
Anyone have some useful tutorials and/or links? I haven't found any.
The documentation doesn't have anything useful either.
Its very simple. If you want to enable HTTPS support in your web app, just do the following:
Generate a Java KeyStore(.jks) file using a linux tool called keytool.
In the ring map of your project.clj file, add the following:
{
:ssl? true
:ssl-port 8443
:keystore "path to the jks file"
:key-password "the keystore password"
}
Fire up the server. Now your web app is HTTPS enabled.
I had a similar problem while I was trying to test my Sign-In using Social Media code which obviously had to authenticate over HTTPS and this did the trick for me.
It's possible to serve HTTPS with clojure, but it's much more popular to put nginx or something like that in front of your ring server. If you can figure out how to configure jetty, though, run-jetty clearly supports SSL.

Resources