Thanks for the suggestions, Hari. I've provided some Ethereal packet capture files to Cisco, and they're evaluating the behavior from their side. I'll post anything useful that comes out of their investigation.
Thanks again! Brian Burt Enterprise Application Engineer Gordon Food Service e-mail: [EMAIL PROTECTED] office phone: 616-717-6972 >>> Hari Mailvaganam <[EMAIL PROTECTED]> 2005-05-11 1:34 PM >>> A couple of suggestions: - force all traffic on load balancer to/from extrenal world to SSL. - after form authentication on Tomcat, redirect users to the URL used by the load balancer - i.e. not XXX:8080/authenticate but www.YYY.com/authenticate - or both Hope this helps. regards, Hari Mailvaganam On 5/11/05, Brian Burt <[EMAIL PROTECTED]> wrote: > I'm running into a problem using form-based authentication with Tomcat 5.5.9 > behind a Cisco CSS load balancer, and I'm hoping someone can point me in the > right direction. > > We've got Tomcat deployed on 2 nodes, not clustered, but load-balanced via > NAT distribution by the Cisco device. We want the site traffic to be secured > with SSL, but the SSL is actually terminated in the load balancer for > efficiency and to offload the encryption/decryption burden from Tomcat. > > We also planned to use J2EE container-managed authentication using the > form-based option. This is where we're having problems. > > When we reference secure content within the target web app with an HTTPS > address, Tomcat serves back the configured Login page just fine. When we > submit the Login form, however, and authentication succeeds, we are > redirected to the original resource over HTTP instead of HTTPS. > > Since the SSL terminates in the load balancer, the Cisco device actually > routes the request to Tomcat on the standard HTTP port (8080). It appears > that, after successful authentication by the container via the Login form, > Tomcat redirects the user to the original resource URL with the HTTP protocol > instead of HTTPS, because Tomcat doesn't know about the HTTPS address > intercepted by Cisco. To Tomcat, the requests all come in looking like plain > old HTTP. > > Just for grins, I tried setting transport-guarantee = CONFIDENTIAL in my > web.xml. It didn't work, just created a Catch-22 where Tomcat tries to > redirect to HTTPS but Cisco intercedes and forwards the request to Tomcat as > HTTP. I spoke with our Network engineers, and they don't believe they can do > anything about this on the Cisco side. They believe it's a web server / > Tomcat issue. > > Once I'm into the app, I can type the "s" after "http" in the browser's > location bar to "switch back" to SSL. Clicking links with relative URLs in > the pages appears to stick with the HTTPS protocol after that. It's only the > initial container-managed login and redirection to the original requested > resource that seems to cause the protocol switch. > > Any advice is greatly appreciated. Thanks! > > Brian Burt > Enterprise Application Engineer > Gordon Food Service > e-mail: [EMAIL PROTECTED] > office phone: 616-717-6972 > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
