Spring MVC + Spring Security: how to migrate application from http to https

Question

I have built a spring MVC application using Spring Tool Suite. I also used Spring Security to handle access permissions and login/logout. The application is currently using http protocol, but I want to move to https completely.

What should I do? Should I also reconfigure STS' VFabric tc Server to run the appliction? If so, how?

Answer 1

You need to configure your application container if you want to use https protocol.

VFabric tc Server docs about SSL:

http://pubs.vmware.com/vfabric5/index.jsp?topic=/com.vmware.vfabric.tc-server.2.6/admin/manual-config-ssl.html

Still you can use Spring Security features. HTTP/HTTPS Channel Security is achieved with ChannelProcessingFilter. Fortunately it can be easily configured with Spring Security XML Namespace.

Spring Docs:

If your application supports both HTTP and HTTPS, and you require that particular URLs can only be accessed over HTTPS, then this is directly supported using the requires-channel attribute on intercept-url

Example Config:

<http>
    <intercept-url pattern="/secure/**" access="ROLE_USER" requires-channel="https"/>
    <intercept-url pattern="/**" access="ROLE_USER" requires-channel="any"/>
</http>

More info: http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#ns-requires-channel