Menu
For Spring Boot based application I have configurared ssl properties at application.properties, see my configuration here:
server.port=8443 server.ssl.key-alias=tomcat server.ssl.key-password=123456 server.ssl.key-store=classpath:key.p12 server.ssl.key-store-provider=SunJSSE server.ssl.key-store-type=pkcs12 And I have added conection at Application.class, like
@Bean public EmbeddedServletContainerFactory tomcatEmbeddedServletContainerFactory() { final TomcatEmbeddedServletContainerFactory factory = new TomcatEmbeddedServletContainerFactory(); factory.addAdditionalTomcatConnectors(this.createConnection()); return factory; } private Connector createConnection() { final String protocol = "org.apache.coyote.http11.Http11NioProtocol"; final Connector connector = new Connector(protocol); connector.setScheme("http"); connector.setPort(9090); connector.setRedirectPort(8443); return connector; } But when I try the following by
http://127.0.0.1:9090/ redirect to
https://127.0.0.1:8443/ is not performed. Who faced a similar problem?
211
Redirect HTTP requests to HTTPS To do that in spring boot, we need to add HTTP connector at 8080 port and then we need to set redirect port 8443 . So that any request in 8080 through http, it would be automatically redirected to 8443 and https.
We can use a name such as a redirect: http://localhost:8080/spring-redirect-and-forward/redirectedUrl if we need to redirect to an absolute URL.
Spring boot documentation claims that setting server. port=-1 disables http endpoint, but for me it behaves the same as if I used port=0.
For Tomcat to perform a redirect, you need to configure it with one or more security constraints. You can do this by post-processing the Context using a TomcatEmbeddedServletContainerFactory subclass.
For example:
TomcatEmbeddedServletContainerFactory tomcat = new TomcatEmbeddedServletContainerFactory() { @Override protected void postProcessContext(Context context) { SecurityConstraint securityConstraint = new SecurityConstraint(); securityConstraint.setUserConstraint("CONFIDENTIAL"); SecurityCollection collection = new SecurityCollection(); collection.addPattern("/*"); securityConstraint.addCollection(collection); context.addConstraint(securityConstraint); } }; Due to CONFIDENTIAL and /*, this will cause Tomcat to redirect every request to HTTPS. You can configure multiple patterns and multiple constraints if you need more control over what is and is not redirected.
An instance of the above TomcatEmbeddedServletContainerFactory subclass should be defined as a bean using a @Bean method in a @Configuration class.
186
Setting this property on your application*.properties file (and the corresponding servlet-specific configuration for HTTPS headers in case you are running behind a proxy) and having Spring Security set-up (e.g. having org.springframework.boot:spring-boot-starter-security on your classpath) should be enough:
security.require-ssl=true Now, for some reason that configuration is not honored when basic authentication is disabled (at least on old versions of Spring Boot). So in that case you would need to take an extra step and honor it yourself by manually configuring the security on your code, like this:
@Configuration public class SecurityConfig extends WebSecurityConfigurerAdapter { @Inject private SecurityProperties securityProperties; @Override protected void configure(HttpSecurity http) throws Exception { if (securityProperties.isRequireSsl()) http.requiresChannel().anyRequest().requiresSecure(); } } So, in case you are using Tomcat behind a proxy, you would have all these properties on your application*.properties file:
security.require-ssl=true server.tomcat.remote_ip_header=x-forwarded-for server.tomcat.protocol_header=x-forwarded-proto If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
