Friday, September 16, 2005

Scalable Java Web Applications: Part 3

Well, we finally came up with a semi-decent solution to the problem with redirects in Tomcat.

Here is what you do:

In Tomcat's server.xml, you can configure the Connector to run behind a proxy using the proxyName and proxyPort parameters. Here is the relevant piece of Tomcat documentation on these parameters:

"The proxyName and proxyPort attributes can be used when Tomcat is run behind a proxy server. These attributes modify the values returned to web applications that call the request.getServerName() and request.getServerPort() methods, which are often used to construct absolute URLs for redirects. Without configuring these attributes, the values returned would reflect the server name and port on which the connection from the proxy server was received, rather than the server name and port to whom the client directed the original request."

Well, in my case, I'm running Tomcat behind an SSL decoder, not a Proxy, but the effect is the same, and the solution is the same.

So, in the Connector attributes, I set the "proxyName" to the server name of my website as seen from the outside world ("mysite.mydomain.com"). I set "proxyPort" to 443. I set "scheme" to "https", and I set "secure" to "true". And it works!

When Tomcat generates absolute URL's, it knows to use these parameters to build the URL rather than the values from the incoming request.

This solution seems easy in hindsight. But when I was coming at this from the other direction, I didn't know what to look for. I was doing tons and tons of reading on the topic of "SSL with Tomcat" and not on the topic of "proxy servers with Tomcat".

It's one of those "magic word" solutions where you can't find the answer until you guess the magic word to search for.

But I posted many messages on newsgroups and other forums, and nobody else knew the answer to this either. So, I don't feel too bad. :)

So, overall, we have a pretty good end-to-end solution. The only issue we still have is that by configuring the Connector this way, we've locked the entire site into https. We could never have parts of the site be just "http", because we've hard-coded the Connector to treat everything as https.

But that's not so terribly bad. We could still create a separate site for some http content, and jump back and forth between the two sites I suppose.
Posted by at

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)