I have a web application running on Weblogic. The HTTPS URL to this application is https://localhost:7002/MyApp.
Whenever I am changing the URL in the address bar to http://localhost:7002/MyApp, it automatically redirects to the original HTTPS based URL.
My requirement is to take the user to some kind of custom error page, if they request the HTTP URL. For example, http://localhost:7002/MyApp should redirect to https://localhost:7002/MyApp/error.jsp.
Is this redirection possible to configure in Weblogic?
You mentioned that your https URL is:
https://localhost:7002/MyApp
And assuming that your http URL is:
http://localhost:7001/MyApp
When you say you change the https URL in browser to:
http://localhost:7002/MyApp
This is in-correct. If you provide such a URL, WLS will accept the request on secure port 7002 but will fail to identify the protocol (it expected https but you gave http). Instead of a redirection, you would get some error in browser and definitely following error in WLS logs:
<May XX, 2013 XX:XX:17 PM IST> <Warning> <Security> <BEA-090475> <Plaintext data for protocol HTTP was received from peer
XXXXXXXXXXXXXX - 192.169.0.100 instead of an SSL handshake.>
I assume you are changing the URL to:
http://localhost:7001/MyApp
Please correct/update your issue description.
Now onto your requirement, it seems nearly impossible to do this via WLS configuration.
As a workaround, you can create a servlet filter and call isSecure on ServletRequest to determine whether the request was made using secure protocol or not. If you find it was not, then you can redirect to some custom page. And you would also need to disable this automatic redirection to https that you have reported for your application.
Ref: http://docs.oracle.com/javaee/6/api/javax/servlet/ServletRequest.html#isSecure%28%29
Related
An unwanted redirection happens on the host server if I browsed for https it redirects me to HTTP and notices that I haven't any redirection rule to HTTP. the odd thing is that I can browse my app in https from any other device it works well, but not from the host itself. Another thing to notice is that I can bind the site to any other https port and it works well from anywhere, but I want to use the default https port.
I'm using IIS 8.
so any help on this issue?!
Some browsers are caching redirects. You need to clear your browser's cache and try again
We have a site that we are trying to configure as a client in a SSO scenario, using WS Federation and SAML.
Our site sits behind a load balancer that is doing SSL offloading - the connection to the balancer is under https, but decrypted and forwarded (internally) to the actual site under http and port 81.
Somewhere the WS federation module is attempting to redirect us, but is building up the URL based on the port and incoming protocol to the website:
We request:
https://www.contoso.com/application
and are getting redirected to:
http://www.contoso.com:81/Application
Which doesn't work as the load balancer (correctly) won't respond on this port.
And it seems to be related to the casing of the virtual directory. Browsing to
https://www.contoso.com/Application
seems to work without issue.
(Note for completeness, attempting to browse to http://www.contoso.com/Application with no port will correctly redirect us to the SSL secured URL).
I am trying to find out:
a) Where this redirect is happening in the pipeline and
b) How to configure it to use the correct external address.
If anybody is able to point me in the right direction, I would very much appreciate it.
EDIT 14:19: Seems to be either the WsFederationAuthenticationModule or the SessionAuthenticationModule. These do a case sensitive comparison of the incoming url to what it expects and redirects otherwise:
https://brockallen.com/2013/02/08/beware-wif-session-authentication-module-sam-redirects-and-webapi-services-in-the-same-application/
So that seems to be happening, its a matter now of trying to get the site to behave nicely and redirect to the correct external url.
The following seems to be related and ultimately points to the culprit in the default CookieHandler:
Windows Identity Foundation and Port Forwarding
Looking at that code decompiled in VS, it compares HttpContext.Current.Request.Url against the targetUrl and will redirect to the expected 'cased' version otherwise (in our case including the errant port number).
It would seem that explicitly setting the path attribute of the cookie fixes this issue. Either an empty string or the virtual directory name seems to work:
<federationConfiguration>
<cookieHandler requireSsl="true" name="ContosoAuth" path="/Application/"/>
<wsFederation passiveRedirectEnabled="true" issuer="https://adfsSite" realm="https://www.contoso.com/Application/" reply="https://www.contoso.com/Application/Home" requireHttps="true"/>
</federationConfiguration>
I'm trying to use localhost/users/auth/google_oauth2/callback as the redirect uri, but I keep getting An error occured while connecting to the server: DNS lookup failed for URL: http://localhost/users/auth/google_oauth2/callback
The trick here is to set http://localhost/users/auth/google_oauth2/callback inside the API web interface as one of the redirect URLs. The client side is what gets redirected, so it has nothing to do with the network. Beginner mistake, so hopefully if you're reading this I saved you a headache :)
I've got my application on facebook. Its working on https. Recently I've set up the apache reverse proxy. Proxy is doing redirect from https to http port 8080 of tomcat. The game is working if accessed directly. While if accessed from facebook there is an error:
Mixed Content: The page at
'https://apps.facebook.com/pennantrace/?fb_source=bookmark&ref=bookmarks&count=0&fb_bmpos=_0'
was loaded over HTTPS, but requested an insecure form action
'http://thepennantrace.com/'. This request has been blocked; the
content must be served over HTTPS.
UPDATE 1:
I've set spring social facebook's canvas controller's post login url to the "https://..." now it works but tomcat is redirecting the call to https://...com to the http://....com/resources/index.html
Seems like all redirects from tomcat are passed as they are (http) without changing the protocol to the https.
I fixed it by setting apache to use X-Forwarded-Proto
And tomcat to respond on that correctly.
I am working on a parental control type project with all traffic going through the control proxy. Certain sites must be redirected to a 'block' type page. This is no problem for HTTP but how do I do this (can I do this) for an HTTPS request such as:
Request to https://dodgy.com, proxy redirects browser to http\https://parentalcontrol.com/blocked
My understanding is that for HTTPS the SSL connection is negotiated first. The proxy would have to intercept this initial negotiation and return some fail status to the browser; but can it also send back a redirect that the browser will be happy with and act upon?
Thanks.