Release a Spring (not boot) application running with HTTPS

Question

I try a SAML connection to Azure B2C with a Spring application found on GitHub. Every works fine until I run in local, but when I need to test this application in a production eviroment I found myself up against problems due to HTTPS connection.

My production enviroment is based on AWS, I'm running a ECS Tasks configured in reverse proxy. I'm using an Load Balancer with an HTTPS listener and an HTTP rule to redirect on HTTPS.

This application is based on Spring, (not Spring Boot) and builds a WAR file that I run on a Tomcat 7.

When I try the login, this application try an HTTP request that the ALB redirect to HTTPS, but this redirect invalidate my SAML workflow.

I try to add requires-channel="https" to any <security:intercept-url /> node in my securityContext.xml but when I try to access to the application online I've got a ERR_TOO_MANY_REDIRECTS

I need to configure tomcat and this application to request only HTTPS without the needs of any redirects but I don't now how

Answer 1

I finnaly found a solution in two steps.

First step: I modify my Tomcat configuration to works only in https.

In server.xml I added a connector to works with TLS

<Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true" 
           maxThreads="150" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS"
           keystoreFile="conf/keystore.keystore"
           keystoreType="JKS"
           keystorePass="myStorePass"
           keyPass="myPass" />

And then I removed redirect of 8080 to 443. Find the node Connector with protocol="HTTP/1.1" and remove it.

Second step: I modify Load Balancer to works only in HTTS with 443 port. To do this I had to create a new target group and a new service on my cluster.