I believe the problem to be caused by the way application https is handled by Heroku: the https endpoint is in the Heroku stack, but the communication between the endpoint and applications running in Heroku uses vanilla http.
This means that when Shiro assembles the Location header in order to redirect the browser to the login page (and, after login, to the requested page), it uses the http scheme of the request reaching the application, instead of the https scheme as requested by the user (see ShiroHttpServletResponse.toAbsolute(String location)). So, when I request https://myexample.com, the response that Shiro sends back has a Location header of http://myexample.com/login.jsp. Is this a case that Shiro is able to handle? If so, I'd really appreciate a pointer. Thanks, Andy -- View this message in context: http://shiro-user.582556.n2.nabble.com/SSL-Login-https-redirects-to-http-tp7579103p7579149.html Sent from the Shiro User mailing list archive at Nabble.com.
