Home/ Questions/Q 7778555
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-01T18:25:39+00:00

I have been looking everywhere but cannot find a clear solution for the following

  • 0

I have been looking everywhere but cannot find a clear solution for the following situation:

We have a web application (Grails + Spring Security) that is running in tomcat, behind apache. Part of the application needs to run on https, so using Spring Security Channel Security, whenever you navigate to a part of the application that is secure, Spring will redirect you to https with a 302 status code.

Now, tomcat is set up to know about the https and certificates, so it knows how to handle the ssl. In fact, when side-stepping apache by going directly to the url and port to hit tomcat directly, everything works 100%.

The problem now comes in when putting apache in front of tomcat. The apache config that we have at the moment works fine for the non-secure parts of the application. We are using mod_jk to proxy apache and tomcat.

However, as soon as you try to go to a secure part of the application, Spring will redirect you, it will hit the

<VirtualHost _default_:443> ... </VirtualHost>

part of the apache config… and this is where the problem starts.

From what I have read, it is possible for apache, via mod_jk, to pass off the ssl handling to tomcat. But we cannot seem to get the configuration for this correct. Since tomcat is already set up for the ssl, it knows where the certificates are, and Spring Security is set up, we would like tomcat to handle all the ssl, and apache merely to pawn it off to tomcat.

Is this at all possible, or am I missing something? Does anyone have some clear instruction as to how to set this up? Any help will be greatly appreciated.

We are using Apache 2.2 and tomat 7.0.27

Thanks

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You can’t just relay the SSL/TLS traffic to Tomcat from Apache. Either your SSL connection ends at Apache, and then you should reverse proxy the traffic to Tomcat (SSL is rarely useful in this case), or you make the clients connect to Tomcat directly and let it handle the SSL connection.

    I’m not sure where you’ve read that mod_jk can pass on the SSL connection itself to Tomcat. It would need to relay the socket directly, therefore bypassing the AJP protocol used by mod_jk (by the way mod_proxy_ajp is the new way, or even mod_proxy_http).

    I’m not sure why you would want Apache to be in front of Tomcat if you want Tomcat to handle the SSL requests anyway. If this has to do with port numbers or something, use a firewall rule to forward port 443 to the Tomcat port.

    In addition, be cautious about the way these automatic redirections from HTTP to HTTPS are done: they only happen after the initial HTTP request has been made.

    • 0