Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

HTTPS login with Spring Security redirects to HTTP

Tags:

spring

https

ssl

spring-security

tomcat6

I have a Spring web app, secured with Spring Security, running on EC2. In front of the EC2 instance is an Elastic Load Balancer with an SSL cert (https terminates at the load balancer ie. port 443 -> port 80), so from Tomcat's perspective, inbound requests are HTTP.

My login form submits to https, however the subsequent redirect goes to http (success or fail). The authentication was successful, and I can go back to https and I'm logged in.

My login configuration looks like so:

<security:form-login
    default-target-url="/home"
    login-page="/"
    login-processing-url="/processlogin"
    authentication-failure-url="/?login_error=1"/>

What do I need to change to make default-target-url and authentication-failure-url go to https?

  • Tomcat 6
  • Spring Security 3.0.x
like image 451
Thody Avatar asked Apr 30 '12 15:04

Thody

People also ask

How do I turn off HTTP in Spring boot?

Spring boot documentation claims that setting server. port=-1 disables http endpoint, but for me it behaves the same as if I used port=0.

How do I enable http and https in Spring boot?

To enable support for HTTP and HTTPS in Spring Boot 2, we need to register an additional connector with Spring Boot application. First, enable SSL/HTTPS for Spring Boot, for example by following the HTTPS using Self-Signed Certificate in Spring Boot tutorial. Now, add server. http.

2 Answers

Your spring configuration should be agnostic to the used protocol. If you use something like "requires-channel", you'll run into problems sooner or later, especially if you want to deploy the same application to a development environment without https.

Instead, consider to configure your tomcat properly. You can do this with RemoteIpValve. Depending on which headers the loadbalancer sends, your server.xml configuration needs to contain something like this:

<Valve
   className="org.apache.catalina.valves.RemoteIpValve"
   internalProxies=".*"
   protocolHeader="X-Forwarded-Proto"
   httpsServerPort="443"
   />

Spring will determine the absolute redirect address based on the ServletRequest, so change the httpsServerPort if you are using something else than 443:

The httpsServerPort is the port returned by ServletRequest.getServerPort() when the protocolHeader indicates https protocol

like image 126
marcelj Avatar answered Oct 19 '22 16:10

marcelj

If it is a Spring Boot application (I use currently the 2.0.0 release), the following configuration within the application.properties file should be enough:

server.tomcat.protocol-header=x-forwarded-proto

This worked for me on AWS with an load balancer at the front.

For Spring Boot < 2.0.0 it should also work (not tested)

like image 15
Rolch2015 Avatar answered Oct 19 '22 15:10

Rolch2015
Sign in to Comment

Related questions

Why Spring Boot Application class needs to have @Configuration annotation?
How to use OAuth2RestTemplate?
Adding additional details to principal object stored in spring security context
Spring Web MVC - validate individual request params
Dynamic spring data jpa repository query with arbitrary AND clauses
Spring Security and @Async (Authenticated Users mixed up)
no suitable HttpMessageConverter found for response type
How to get request URL in Spring Boot RestController
how do I change log level in runtime without restarting spring boot application
Spring @Async Not Working
Configure specific in memory database for testing purpose in Spring
Spring boot - custom variables in Application.properties
How to specify Java 11 version in Spring/Spring Boot pom.xml?
Starting new transaction in Spring bean
Could not find or load main class org.apache.maven.wrapper.MavenWrapperMain
Intellij IDEA: specify datasource for JPA validation
Spring Security hasRole() not working
File Upload with Angular2 to REST API
How does Spring MVC handle multiple users
What is the order of precedence when there are multiple Spring's environment profiles as set by spring.profiles.active

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!