Recently we had a problem in satisfying a requirement to secure the HTTP requests and responses for a web application.
The application consists of a Flex front end and a Java web application accessed as Web Services by the front end. The Flex app is hosted by Apache and the Java web app by Tomcat. The Web Services are created by XFire annotations on the Java interfaces.
Apache is hosted on a physical server in a DMZ. Tomcat is hosted on a second server behind a firewall which blocks external requests.
When a user requests data, the sequence is:
- The browser sends a request over HTTPS to Apache.
- Apache passes the request on to Tomcat over HTTP.
- Tomcat sends a response containing WSDL to Apache over HTTP.
- Apache returns the response to the browser over HTTPS.
The requirement is for all communications to and from the browser to go over HTTPS. The problem is that the WSDL returned to the browser contains the service endpoint URL and XFire has made the URL protocol HTTP, because the request came in to Tomcat over HTTP. The next request the browser makes for the web service uses the endpoint URL, so the request goes over HTTP.
The solution we came up with was for Apache to do a substitution on the returned WSDL so that the HTTP URLs are translated into HPPS URLS. Specifically, occurrences of
are translated into
(this is something of a fix). We put these lines into an Apache .conf file:
AddOutputFilterByType SUBSTITUTE text/xml Substitute "s/wsdlsoap:address location="http:/wsdlsoap:address location="https:/n"
We checked the browser requests and responses using Live HTTP Headers in Firefox. Everything is going via HTTPS as desired.