I have a problem and I believe it boils down to a misfit with our load-balancer, webserver(ihs), https configuration and Java EE form security with j_security_check.
I understand that when a client tries to hit a secure page, the server (websphere) sends a redirect with the url of the signin form, which is what we see in our dev & tst environment. However the production set up has a webserver (ihs), which consumes the https url, knocks out the s and forwards the http url to websphere (known as ssl offloading). When Websphere replies with the redirect it does that without https but with http://server-name/loginform
and I see a browser error that it can't access the http://server-name/loginform.
The relevant part of web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Whitelist</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>authenticated-users</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>login</web-resource-name>
<url-pattern>/keepalive</url-pattern>
<url-pattern>/signin</url-pattern>
<url-pattern>/signin/error</url-pattern>
<url-pattern>/resources/*</url-pattern>
</web-resource-collection>
</security-constraint>
<security-role>
<description>Any LDAP authenticated user</description>
<role-name>authenticated-users</role-name>
</security-role>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/signin</form-login-page>
<form-error-page>/signin/error</form-error-page>
</form-login-config>
</login-config>
I'm wondering whether that's a misconfiguration on the java side (my responsibility), I expect the url in form-login-page (/login) to be relative on the browser. But I also think that the load-balancer should automatically convert a http call to https call (someone else's responsibility). I hope someone has suggestions.
You should provide a bit more information in your question such as what load balancer are you using, is it going straight to WAS or via IHS, how your web application is configured (web.xml).
So here are some general hints that might be useful for you.
If you already have security configured and login form correctly being displayed in http, you just need to add the following to web.xml:
<security-constraint>
...
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
This will ensure that WebSphere will generate redirect to https when client is trying to access protected pages.
If your load balancer is configured to offload SSL and froward request to WebSphere using plain http, then you need to configure WebSphere to be aware of that. This is done by configuring httpsIndicatorHeader custom property, and adding custom header in load balancer.