Require HTTPS with Spring Security behind a reverse proxy

Question

I have a Spring MVC application secured with Spring Security. The majority of the application uses simple HTTP to save resources, but a small part processes more confidentia

Answer 1

If your site is HTTPS and you're running Apache Tomcat behind another system that's handling TLS termination, you can tell Tomcat to "pretend" that it's handling the TLS termination.

This makes request.isSecure() return true;

To do so, you need to add secure="true" to your Connector config in server.xml.

https://tomcat.apache.org/tomcat-7.0-doc/config/http.html

See also the scheme attribute.