Spring Security: requires-channel=“https” behind SSL accelerator

Question

We\'re using an F5 BIG-IP device to terminate SSL connections and connecting by plain HTTP to the application server with an spring enabled application. Also we configured F

Answer 1

I know this question/answer is 4 years old, but it help me to find the solution to my problem. But in modern Spring Boot applications, the fix is easier. Just add the following entry in your application.yaml:

server.tomcat.protocol_header: x-forwarded-proto

Mor information here: http://docs.spring.io/spring-boot/docs/current/reference/html/howto-security.html#howto-enable-https

Answer 2

Subclass SecureChannelProcessor and InsecureChannelProcessor overriding decide(). You'll need to copy and paste some code, for example for Secure:

    @Override
    public void decide(FilterInvocation invocation, Collection<ConfigAttribute> config) throws IOException, ServletException {
      Assert.isTrue((invocation != null) && (config != null), 
                       "Nulls cannot be provided");

      for (ConfigAttribute attribute : config) {
          if (supports(attribute)) {
              if (invocation.getHttpRequest().
                      getHeader("X-Forwarded-Proto").equals("http")) {
                  entryPoint.commence(invocation.getRequest(),
                      invocation.getResponse());
              }
          }
      }
    }

Then set these ChannelProcessors on the ChannelDecisionManagerImpl bean using a BeanPostProcessor.

Answer 3

Even simpler nowadays :

server.use-forward-headers: true

Enabled by default for Cloud Foundry and Heroku, but not for others such as AWS.

Documentation (section 73.7) : https://docs.spring.io/spring-boot/docs/1.5.x/reference/html/howto-embedded-servlet-containers.html