发表新帖
发表新帖

HTTPS login with Spring Security redirects to HTTP

后端 未结
关注
9 1977
梦如初夏
梦如初夏 2021-01-31 02:12

I have a Spring web app, secured with Spring Security, running on EC2. In front of the EC2 instance is an Elastic Load Balancer with an SSL cert (https terminates at the load ba

相关标签:
9条回答
  • [愿得一人]
    2021-01-31 02:35

    I am also facing exactly same problem and till the time I get proper solution I am redirecting my requests from proxy server to tomcat server over AJP instead of HTTP. Below is my apache configuration

    ProxyPass /myproject ajp://localhost:8009/myproject
ProxyPassReverse /myproject ajp://localhost:8009/myproject
    0 讨论(0)
  • 失恋的感觉
    2021-01-31 02:36

    Solution was two fold

    (1) application.yml

    server:
  use-forward-headers: true

    (2) in servers /etc/apache2/sites-enabled/oow.com-le-ssl.conf

    RequestHeader set X-Forwarded-Proto https
RequestHeader set X-Forwarded-Port 443

    (2.1) and enabled the apache module with

    sudo a2enmod headers

    Put it together with the help of this and this

    0 讨论(0)
  • 情歌与酒
    2021-01-31 02:38

    Your spring configuration should be agnostic to the used protocol. If you use something like "requires-channel", you'll run into problems sooner or later, especially if you want to deploy the same application to a development environment without https.

    Instead, consider to configure your tomcat properly. You can do this with RemoteIpValve. Depending on which headers the loadbalancer sends, your server.xml configuration needs to contain something like this:

    <Valve
   className="org.apache.catalina.valves.RemoteIpValve"
   internalProxies=".*"
   protocolHeader="X-Forwarded-Proto"
   httpsServerPort="443"
   />

    Spring will determine the absolute redirect address based on the ServletRequest, so change the httpsServerPort if you are using something else than 443:

    The httpsServerPort is the port returned by ServletRequest.getServerPort() when the protocolHeader indicates https protocol

    0 讨论(0)
  • 广开言路
    2021-01-31 02:41

    I had the same problem with Spring Boot behind Google Kubernetes. Adding these two lines to application.properties did it for me

    server.tomcat.remote-ip-header=x-forwarded-for
server.tomcat.protocol-header=x-forwarded-proto

    Source: https://docs.spring.io/spring-boot/docs/current/reference/html/howto-security.html#howto-enable-https

    0 讨论(0)
  • 离开以前
    2021-01-31 02:43

    In my case, I had to REMOVE the property server.use-forward-headers=true.

    This is my setup:

    Digital Ocean LB --> Kubernetes cluster with Ingress --> Spring boot Application

    0 讨论(0)
  • 情话喂你
    2021-01-31 02:45

    One way I got this working is by adding the following config

    <http auto-config="true" use-expressions="true" entry-point-ref="authenticationEntryPoint" >
    <form-login login-page="/login.jsf" authentication-failure-url="/login.jsf?login_error=t" always-use-default-target="true" default-target-url="xxxxx" />
    <logout logout-url="/logout" logout-success-url="/logoutSuccess.jsf" />
    ...
</http>

    Had to add always-use-default-target="true" and default-target-url="https://....". Not the ideal way as you need to hard code the url in the config.

    0 讨论(0)
 看不清?
提交回复
热议问题