Spring Security is redirecting to localhost on production server

Question

I have a grails application with the spring-security-core plugin installed. Everything works fine locally. I deployed to a staging server and everything worked fine. I de

Answer 1

If your application server is behind a web server, this problem is likely caused by your web server configuration. I had this same problem and corrected it by using the following entry in my httpd.conf or apache2.conf. Here it is...

...boilerplate configuration here...

################################
# Begin yourdomain.com...      #
################################

ProxyRequests Off
ProxyPreserveHost On

<Proxy>
    Order deny,allow
    Allow from all
</Proxy>

ProxyPass / http://localhost:28080/
ProxyPassReverse / http://localhost:28080/

<Location>
    Order allow,deny
    Allow from all
</Location>

################################
# ... end yourdomain.com       #
################################

Answer 2

Assuming you have a webserver (apache, nginx, etc) as a proxy in front of Tomcat (and you are using Tomcat)...

In a setup where you allow both http and https, add a separate Connector element to tomcat's conf/server.xml file:

<Connector port="8081" protocol="HTTP/1.1" 
           connectionTimeout="20000" 
           redirectPort="8443"  URIEncoding="UTF-8"
           scheme="https" secure="true" proxyName="somehostname.domain" proxyPort="443" />

If only https is allowed, you can add the scheme, secure, proxyName and proxyPort attributes to the existing Connector element.

In apache config, make the *:443 virtual host proxy to the Connector with the extra attributes. The plain http *:80 can connect to the original Connector.

For more information: http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#Proxy_Support http://tomcat.apache.org/tomcat-7.0-doc/proxy-howto.html

Answer 3

I know this is an old question, but I would like to add my findings to help other users that might encounter this problem.

In addition to Burt's answer (I'm assuming that you are using tomcat), I found out that the returned value of request.getServerName() can also be set via server.xml

i.e in tomcat 8 https://tomcat.apache.org/tomcat-8.0-doc/config/http.html

having this line in server.xml

<Connector protocol="HTTP/1.1"
           port="8080" ...
proxyName="localhost"/>

would return "localhost" when getServername is invoked.

Answer 4

The redirects are done in org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint.commence() method, so you could set a breakpoint there if you're able to borrow one of the prod servers for debugging.

It builds the redirect URL based on the login form uri (e.g. /login/auth) but it uses request.getServerName() so it should be the same as the original request. Note that grails.serverURL has no impact here since it builds the URL using the requested server name, port, context, etc.

It might be affected by putting Apache or a load balancer in front of your servlet container, although I've done both and it's worked fine.

Have you done any bean customization in resources.groovy that might affect this?