Redirecting Not Working with Https

Question

I have a Java servlet that sits behind a hardware load balancer. The load balancer only allows https requests. The problem is when I get the request in the servlet, I can only see http, it seems it has been decrypted by the time it gets to the servlet, which makes sense because the servlet should not worry about security. When I want to send a redirect in servlet, however, the request will be blocked by the load balancer because it will be a http request.

I read about some solutions and they're all similar to this one. Basically people suggest to add a servlet filter to catch the request url first.

I tried but it didn't work. What I don't quite understand is that as long as the servlet has no way to know about the actual request (http/https), how can servlet filter do any help? I also wonder if there's any standard solution to this issue since I think it's quite common.

Answer 1

We need to redirect the request on conditions properly before executing the below line.

response.sendRedirect("some.jsp");

Hold the schema/referrer like below :

String scheme      = request.getScheme();
String referer     = request.getHeader("referer");

It is better to use referrer because schema doesn't always give the desired result. You can check the value in console debugger.

Then execute the redirect on condition like this :

String servername  = request.getServerName();
String scheme      = request.getScheme();
String referer     = request.getHeader("referer");

if(referer.startsWith("https")) {
    response.sendRedirect("https://" + servername + "/context-root/" + "some.jsp");
}else{
    response.sendRedirect("some.jsp");
} 

Answer 2

You can actually know if the request to load balancer was http or https. The load balancer will send you certain headers that tells you about the original request.

For Ex, It will send X-SSL-Secure : true header if the request to load balancer was HTTPS.

Please refer here .

How can I know if the request to the servlet was executed using HTTP or HTTPS?

Answer 3

HTTPS is just HTTP protocol over SSL. It only encrypts the data packets transferred between your client & server using certificates.

Your Servlet should not bother what underlying mechanism is used. The transport protocol is a contract between your client & container. Your servlet remains transparent of how the communication takes place at network level.

The redirect warnings you are getting may be because of security enforcements. Generally most modern browsers allow you to go from HTTP to HTTPS but not other way round.

For example - if your home page is loaded in HTTPS but your browser will block asynchronous calls(any ajax calls) that you are making over HTTP. This is done to enforce you to use HTTPS on all the pages on your site.

There could be 2 scenarios here that you might want to check:

1) Are you getting this warning at client browser. As I already explained above, this might be the cause of your issue.

2) Like browser, your load balancer might be doing any such security enforcement.

Tip: Generally whenever we use redirection in our servlet or any backend code. Dont specify the protocol explicitly wherever you are using URL's. It could be in your redirection code or any other places. Even in the anchor tags you are generating

Dont write :

<a href="http://mywebsite.com/page1"> page1 </a>

Instead, let your client browser handle the protocols(additionally if the URL lies in same domain, Also use domain relative URLs. Use Absolute URLs only if they are external to your site).

<a href="mywebsite.com/page1"> page1 </a>

This way if your same servlet/backend code will work irrespective whether you are using HTTPS or not.

One more thing: The HTTPS or HTTP over SSL is between your client & web-server layer. Your container/App server doesn't(or shouldn't) even know what is going on between them. It is also recommended to use SSL between your webserver & Appserver and have end-to-end encryption.