Spring Security redirecting to localhost on production server
I have a grails app with spring-security-core plugin. Everything works fine. I deployed to a staging server and everything worked fine. I have deployed to our production server which is a mirror of our staging server. I can get unsecured pages. But when Spring Security fires and tries to redirect, it redirects to localhost instead of grails.serverURL.
I'm going to keep logging as high as possible and redeploy to see if I can make heads or tails of anything. I'll post my conclusion here. If anyone has experienced this before and knows what might happen, please let me know. Also, if there are any config files that need to be seen, I can provide them as well. Thank.
Update I added the following to the end of Config.groovy
grails.plugins.springsecurity.useSecurityEventListener = true
grails.plugins.springsecurity.onAuthorizationEvent = { e, appCtx ->
println "here"
println e
}
Locally this closure gets hit 2 times when I try to access the secure page. Once for the original URL. Second time for authorization URL. Deployed this to our production server and I got nothing.
source to share
Redirects are done to a org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint.commence()
method , so you can set a breakpoint there if you can borrow one of the servers for debugging.
It creates a redirect url based on the login form uri (like / login / auth) but uses request.getServerName()
so it must match the original request. Note that grails.serverURL
it has no effect here as it builds the url using the requested server name, port, context, etc.
It can be affected by installing Apache or load balancing in front of your servlet container, although I did both and worked fine.
Have you done a bean setup in resources.groovy
that might affect this?
source to share
If your application server is behind a web server, this issue is most likely caused by your web server configuration. I had the same problem and fixed it using the following entry in my httpd.conf or apache2.conf. Here it is ... Please note that the xml tags are incomplete as I didn't want to take the time to find out how to avoid them. (: R)
*...boilerplate configuraton here...*
################################
# Begin yourdomain.com... #
################################
ProxyRequests Off
ProxyPreserveHost On
Proxy *>
Order deny,allow
Allow from all
/Proxy>
ProxyPass / http://localhost:28080/
ProxyPassReverse / http://localhost:28080/
Location / >
Order allow,deny
Allow from all
/Location>
################################
# ... end yourdomain.com #
################################
source to share
Assuming you have a web server (apache, nginx, etc.) as a proxy in front of Tomcat (and you are using Tomcat) ...
In the setup where you allow both http and https, add a separate Connector element to your tomcat conf / server.xml file:
<Connector port="8081" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" URIEncoding="UTF-8"
scheme="https" secure="true" proxyName="somehostname.domain" proxyPort="443" />
If only https is allowed, you can add the schema, secure, proxyName, and proxyPort attributes to the existing Connector element.
In apache config, create virtual host proxy *: 443 for connector with additional attributes. A simple http *: 80 can connect to the original connector.
For more information: http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#Proxy_Support http://tomcat.apache.org/tomcat-7.0-doc/proxy-howto.html
source to share
I know this is an old question, but I would like to add my findings to help other users who may be facing this problem.
In addition to Bert's answer (I'm assuming you are using tomcat), I found out that the return value of request.getServerName () can also be set via server.xml
ie in tomcat 8 https://tomcat.apache.org/tomcat-8.0-doc/config/http.html
with this line in server.xml
<Connector protocol="HTTP/1.1"
port="8080" ...
proxyName="localhost"/>
will return "localhost" when getServername is called.
source to share