Login loop with Spring Security requires-channel and Amazon Elastic Load Balancer

Question

I'm trying to get my spring security working on a server using Amazon Elastic Load Balancer (ELB). The ELB is configured on port 80 to forward to my app on port 8080 and on port 443 to also forward to 8080.

<security:intercept-url pattern="/login.xhtml"  access="IS_AUTHENTICATED_ANONYMOUSLY" requires-channel="https"  />

<security:port-mappings>
            <security:port-mapping http="80" https="443" />
</security:port-mappings>

Whenever I access this page I get into a login loop. Any idea how to solve this? Not sure if Spring Security is having issues with the fact ELB is forward traffic from https port 443 to my app on port 8080.

Answer 1

It turns out that Spring Security uses ServletRequest.getServerPort() to determine whether it is using a secure port. My tomcat was configured using 8080 and 8443 so when the ELB forward the request from 443 to my internal tomcat on 8443 the webapp did not accept this as a secure port:

20 Jun 18:16:49,184 ["http-bio-8443"-exec-5] DEBUG org.springframework.security. web.access.channel.RetryWithHttpsEntryPoint  - Redirecting to: /login.xhtml

I also tried using the proxyport but couldnt get this to work. Also if you configure the spring security ports to use 8443 instead then it doesnt do the redirect correctly (it will redirect the app to 8443 which doesnt exist externally).

Long story short...the following settings worked: ELB forward 80->80 and 443->443. Setup tomcat to use 80 and 443. Setup port mappings to use 80 and 443 on Spring Security

Answer 2

A redirect loop almost always happens because you have a secured URL which should not be secured. All URLs are secured by default in spring security.

Also if JavaScript, CSS or image resources are loaded with separate requests by the login page their URLs are also secured and this might be causing the loop.

Enable the debug log and you should see why you get redirected. This will help you on debug logging (search the page for debug).