HTTPS login with Spring Security redirects to HTTP

Question

I have a Spring web app, secured with Spring Security, running on EC2. In front of the EC2 instance is an Elastic Load Balancer with an SSL cert (https terminates at the load ba

Answer 1

If it is a Spring Boot application (I use currently the 2.0.0 release), the following configuration within the application.properties file should be enough:

server.tomcat.protocol-header=x-forwarded-proto

This worked for me on AWS with an load balancer at the front.

For Spring Boot < 2.0.0 it should also work (not tested)

Answer 2

I set requires-channel="any" on all intercept-urls. This allows it to still work in my dev environment where I don't use SSL.

<intercept-url pattern="/createUser" access="permitAll" requires-channel="any"/>
<intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" requires-channel="any"/>
<intercept-url pattern="/**" access="isAuthenticated()" requires-channel="any"/>

Then, create an apache virtual host that redirects all traffic to the HTTPS version.

<VirtualHost *:80>
  ServerName www.mywebsite.com
  Redirect permanent / https://www.mywebsite.com/
</VirtualHost>

Answer 3

use below lines of code in web.xml

<security-constraint>
  <web-resource-collection>
    <web-resource-name>Login and Restricted Space URLs</web-resource-name>
    <url-pattern>/j_security_check</url-pattern>
    <url-pattern>/loginpage.rose</url-pattern>
  </web-resource-collection>
  <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
</security-constraint>

it makes forced to use HTTPS.