I have been looking everywhere but cannot find a clear solution for the following situation:

We have a web application (Grails + Spring Security) that is running in tomcat, behind apache. Part of the application needs to run on https, so using Spring Security Channel Security, whenever you navigate to a part of the application that is secure, Spring will redirect you to https with a 302 status code.

Now, tomcat is set up to know about the https and certificates, so it knows how to handle the ssl. In fact, when side-stepping apache by going directly to the url and port to hit tomcat directly, everything works 100%.

The problem now comes in when putting apache in front of tomcat. The apache config that we have at the moment works fine for the non-secure parts of the application. We are using mod_jk to proxy apache and tomcat.

However, as soon as you try to go to a secure part of the application, Spring will redirect you, it will hit the

<VirtualHost _default_:443> ... </VirtualHost>

part of the apache config... and this is where the problem starts.

From what I have read, it is possible for apache, via mod_jk, to pass off the ssl handling to tomcat. But we cannot seem to get the configuration for this correct. Since tomcat is already set up for the ssl, it knows where the certificates are, and Spring Security is set up, we would like tomcat to handle all the ssl, and apache merely to pawn it off to tomcat.

Is this at all possible, or am I missing something? Does anyone have some clear instruction as to how to set this up? Any help will be greatly appreciated.

We are using Apache 2.2 and tomat 7.0.27

Thanks

You can't just relay the SSL/TLS traffic to Tomcat from Apache. Either your SSL connection ends at Apache, and then you should reverse proxy the traffic to Tomcat (SSL is rarely useful in this case), or you make the clients connect to Tomcat directly and let it handle the SSL connection.

I'm not sure where you've read that mod_jk can pass on the SSL connection itself to Tomcat. It would need to relay the socket directly, therefore bypassing the AJP protocol used by mod_jk (by the way mod_proxy_ajp is the new way, or even mod_proxy_http).

I'm not sure why you would want Apache to be in front of Tomcat if you want Tomcat to handle the SSL requests anyway. If this has to do with port numbers or something, use a firewall rule to forward port 443 to the Tomcat port.

In addition, be cautious about the way these automatic redirections from HTTP to HTTPS are done: they only happen after the initial HTTP request has been made.

From your post, I cannot tell whether you are running into an issue while getting ssl to work on Apache or whether, since you have certain parts of you app over http, Apache never redirects over ssl. Note that its perfectly okay to have multiple "segments" over ssl (meaning user -> Apache over ssl and the Apache -> tomcat over ssl).
1. If the issue is getting ssl to work over Apache - you will need to make sure that ssl is setup correctly on the Apache end.
2. If the issue is "redirect", try and keep separate urls for http and https. Like /something.mysite.com/non_ssl/ and /something.mysite.com/ssl/. This will make it easier to write the rules in Apache.