Spring security switching to http after login. How can I keep it as https?

Question

I am using Spring MVC and Spring Security. My redirects were switching https to http until I found this post. Spring MVC "redirect:" prefix always redirects to http -- how do I make it stay on https?. I also had to set the redirectHttp10Compatible property to false in my AjaxUrlBasedViewResolver.

The problem is that https still switches to http after login. Once I am logged in I can set my app back to https in the address bar and it will stick. Also, I am using IP authentication for most users in which case https stays thanks to the solution above.

I am trying to add redirectHtp10Compatible to login_security_check or something like that but am stuck. Here my security-config.xml.

<?xml version="1.0" encoding="UTF-8"?>

<beans:beans xmlns="http://www.springframework.org/schema/security"
         xmlns:beans="http://www.springframework.org/schema/beans"
         xmlns:util="http://www.springframework.org/schema/util"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xmlns:context="http://www.springframework.org/schema/context"
         xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
         http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd
         http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.0.xsd
         http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">

<global-method-security pre-post-annotations="enabled" />

<http auto-config='true' access-denied-page="/login">
    <intercept-url pattern="/static/styles/**" filters="none" />
    <intercept-url pattern="/static/scripts/**" filters="none" />

    <intercept-url pattern="/login/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <intercept-url pattern="/error/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <intercept-url pattern="/api/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <intercept-url pattern="/ajaxTimeOut" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <intercept-url pattern="/checkSystem" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <intercept-url pattern="/adminUser/**" access="ROLE_SSADMIN" />
    <intercept-url pattern="/**" access="ROLE_USER" />

    <form-login login-page="/ajaxTimeOut" login-processing-url="/login_security_check" authentication-failure-url="/login?login_error=t" default-target-url="/" always-use-default-target="true" />
    <logout logout-url="/logout" logout-success-url="/"/>
    <custom-filter position="PRE_AUTH_FILTER" ref="ipPreAuthFilter" />
</http>

<beans:bean id="ipAuthDetailsSource" class="com.mydomain.security.IPBasedPreAuthenticatedDetailsSource" />

<beans:bean id="ipPreAuthFilter" class="com.mydomain.security.IPPreAuthenticationFilter">
    <beans:property name="authenticationManager" ref="preAuthManager" />
    <beans:property name="authenticationDetailsSource" ref="ipAuthDetailsSource" />
</beans:bean>

<beans:bean id="preAuthManager" class="org.springframework.security.authentication.ProviderManager">
    <beans:property name="providers">
        <beans:list>
            <beans:ref local="preAuthProvider"/>
        </beans:list>
    </beans:property>
</beans:bean>

<beans:bean id="preAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
    <beans:property name="preAuthenticatedUserDetailsService" ref="preAuthUserService" />
</beans:bean>

<beans:bean id="preAuthUserService" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedGrantedAuthoritiesUserDetailsService" />

<authentication-manager>
    <authentication-provider user-service-ref="userService">
        <password-encoder ref="passwordEncoder" >
            <salt-source user-property="salt" />
        </password-encoder>
    </authentication-provider>
</authentication-manager>

<beans:bean id="userService" class="com.mydomain.security.UserServiceImpl" />
<beans:bean id="passwordEncoder" class="com.mydomain.security.PasswordEncoder">
    <beans:constructor-arg value="256" />
</beans:bean>

Answer 1

Have you tried this:

<http>
    <intercept-url pattern="/secure/**" access="ROLE_USER" requires-channel="https"/>
    ...
</http>

http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#ns-requires-channel

Answer 2

Got the solution.

<security:form-login login-page="/Login"
                             login-processing-url="/j_spring_security_check"
                             default-target-url="https://127.0.0.1/abcWeb/"
                             always-use-default-target="true"
                             authentication-failure-url="https://127.0.0.1/abcWeb/loginfailed"
                                  />
    <security:logout logout-success-url="https://127.0.0.1/abcWeb/logout" />

I have added absolute path for login processing and for the rest I had added this p:redirectHttp10Compatible="false" to InternalViewResolver