Thursday, May 30, 2002 09:38 PM
We've got a hardware accelerator decrypting https requests and forwarding them to a non-standard port on our server. The accelerator passes through http requests on port 80. On the server itself, we redirect http requests to https using Apache's RedirectMatch directive.
The problem we have is that the 302 we get after POSTing login data to j_security_check seems to point to an absolute url with an http scheme. This results in a single insecure request and a subsequent redirect to an https url. Note that the application is not insecure because of this. It just results in an annoying warning that users don't know they can safely ignore.
Any clues appreciated.