Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
SEC-261: Secure/Insecure Channel Processor #523
When operating ACEGI behind a Load Balancer or Web Server that performs SSL on behalf of the App Server, channel security doesn’t work. It would be useful if there was a ChannelProcessor implementation that could review the remote port of a request (which survives even if the LB switches from https to http before landing in the Acegi stack). The idea would be to allow configuration of a SecureChannelProcessor and an InsecureChannelProcessor based on port mapper configuration.
One possible implementation could be:
The Springbean configs might be:
These would be wired into the ChannelDecisionManager as needed.
Luke Taylor said:
I’m not quite clear on why this is required, i.e. why “channel security doesn’t work” when behind a proxy which handles SSL.
I would’ve thought it was possible to configure connectors appropriately in Tomcat, for example. I.e. setting secure=“true” scheme=“https” (and setting proxyName and proxyPort) for the connector to which the HTTPS connections are being proxied would label it as secure as far as the channel processor was concerned, even though only the connection to apache was actually encrypted.