Scheme is not always HTTPS. For test cases, it could be plain HTTP

[mvanhulsentop]

I needed this commit when trying this out on a local development environment. In production, using plain HTTP is never a good idea :)

[levahim]

The problem is that I can envision a situation when the webapp's login page--the page that, say, shows the button that redirects to the IdP's login page--is not HTTPS. In that case, we do want to force the callback URL to become HTTPS.... Let me think about it a little. Perhaps an authenticator configuration flag that disables forcing HTTPS callback URLs is more appropriate. That way, you could have different configs in different environments and have it disabled in your dev env's config.

[levahim]

Can the valve's hostBaseURI property be used to resolve this issue?

[mvanhulsentop]

Yes I suppose it is possible to use the hostBaseURI property. That will prevent this code from being invoked. From your first message I understand you'd like to change the callback URL to https. From a security point of view, I agree that would be infinitely better :)

But you can't be sure that the Tomcat also has the HTTPS connector configured. So in that case, the callback will try to go to an endpoint that does not exist. If we want to force users to go through HTTPS, I think there are facilities in Tomcat that will forward the browser to https automatically on plain HTTP request. For me, it makes sense to build the callback with the same scheme as the user got redirected with.

[meinders]

And in the case where you want multiple virtual hosts, it's not possible to use the hostBaseURI.