We're using an F5 BIG-IP device to terminate SSL connections and connecting by plain HTTP to the application server with an spring enabled application. Also we configured F5 to send an X-Forwarded-Proto header with http or https as value.
Now we'd like to enforce HTTPS by configuring an intercept url:
<security:intercept-url pattern="/login.action" requires-channel="https" />
But this only works if the protocol scheme in the servlet containter is HTTPS, so we need to interpret the HTTP header.
Any idea how to do this?
Thanks Simon
Subclass SecureChannelProcessor and InsecureChannelProcessor overriding decide()
. You'll need to copy and paste some code, for example for Secure:
@Override
public void decide(FilterInvocation invocation, Collection<ConfigAttribute> config) throws IOException, ServletException {
Assert.isTrue((invocation != null) && (config != null),
"Nulls cannot be provided");
for (ConfigAttribute attribute : config) {
if (supports(attribute)) {
if (invocation.getHttpRequest().
getHeader("X-Forwarded-Proto").equals("http")) {
entryPoint.commence(invocation.getRequest(),
invocation.getResponse());
}
}
}
}
Then set these ChannelProcessors on the ChannelDecisionManagerImpl bean using a BeanPostProcessor.
I know this question/answer is 4 years old, but it help me to find the solution to my problem. But in modern Spring Boot applications, the fix is easier. Just add the following entry in your application.yaml
:
server.tomcat.protocol_header: x-forwarded-proto
Mor information here: http://docs.spring.io/spring-boot/docs/current/reference/html/howto-security.html#howto-enable-https
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With