3

I have one spring boot app which contains spring security with formLogin being added and custom loginPage . Whenever I get authenticated then it will send me to the defaultSuccessUrl which is /app/dashboard and it sends with the schema http I been trying all day to just make the successUrl schema to be https just tweaking some changes on application.properties and sometimes with Bean but i am still not able to make it happen. My application is in cloudfoundry which and i don't have 80 port but only 443(https) .

My configuration in spring is like this :

http
    .authorizeRequests()
    .antMatchers("/", "/forbidden", "/index.html", "/webjars/*", "/app.js", "/access/*", "/signup", "/l10n/*.js", "/", "/tpl/**/*.html", "/fonts/**/*.woff").permitAll()
    .anyRequest().authenticated()

    .and().addFilterAfter(new CsrfHeaderFilter(), CsrfFilter.class).
    csrf().csrfTokenRepository(repo)

    .and() .httpBasic().disable()
    .formLogin()
    .loginPage("/access/signin").permitAll()
    .failureUrl("/error")
    .defaultSuccessUrl("/app/dashboard")
    .and().logout()
    .logoutRequestMatcher(new AntPathRequestMatcher("access/logout"))
    .logoutSuccessUrl("/access/signin").permitAll();

I did also tried to use absolute url with https but it is not working good.

abaghel
  • 14,783
  • 2
  • 50
  • 66
privatejava
  • 703
  • 1
  • 9
  • 20

1 Answers1

10

Did you try requiresChannel() and requiresSecure()? For particular url to be accessible via https, you can try

.defaultSuccessUrl("/app/dashboard").and().requiresChannel().antMatchers("/app/dashboard").requiresSecure()

For all requests to go through https, you can use like

.and().requiresChannel().anyRequest().requiresSecure()

You can use port mapping like below.

 http
     .portMapper()              
        .http(8080).mapsTo(443);

Please refer this and this for more details.

abaghel
  • 14,783
  • 2
  • 50
  • 66
  • Actually I am using predix which is just another version of cloud foundry. I have deployed spring boot app there with requiresChannel().anyRequest().requiresSecure() but it has _redirect loops_ . After moving deep down to the logs i saw that my tomcat port was running in **64143** `Starting Servlet Engine: Apache Tomcat/8.0.32`
    `Starting ProtocolHandler ["http-nio-64143"]` `Using a shared selector for servlet write/read` `Tomcat started on port(s): 64143 (http)` `Updating port to 64143` That means cloudfoundry is mapping https to **64143** port.     – privatejava Dec 13 '16 at 10:58
  • If you wont provide "http.portMapper" then "requiresSecure()" will use default configured https port. So if tomcat is running on 8080 then with "requiresSecure()" it will use port 8443 for https. Please check what configuration (with or without portMapper) works for you. – abaghel Dec 13 '16 at 11:19
  • Even adding portmapper() didn't help. The spring boot is behind proxy i guess because even it is running in different port it is mapping from one cloudfoundry uri with secure https . `https:// ====> :` – privatejava Dec 13 '16 at 18:23
  • Look and see if HttpServletRequest's `isSecure` and `getRemoteAddr` are returning the correct values. Is `getRemoteAddr` returning the IP of your actual client or the proxy that is upstream? By default the JBP should configure Tomcat to process the `x-forwarded-*` headers and make these function calls work as you'd expect. If the funcs are not working properly then you probably need to adjust setting `internalProxies` of the RemoteIpValve. See https://docs.spring.io/spring-boot/docs/current/reference/html/howto-embedded-servlet-containers.html#howto-customize-tomcat-behind-a-proxy-server. – Daniel Mikusa Dec 14 '16 at 15:13
  • Forgot to mention, if `isSecure` and `getRemoteAddr` are working properly then Spring Security should automatically generate the correct URLs to redirect a user from HTTP to HTTPS and additional config shouldn't be necessary. – Daniel Mikusa Dec 14 '16 at 15:15
  • Is there a chance I can use `portMapper()` for this problem: https://stackoverflow.com/questions/53969201/how-to-accept-http-and-https-requests-on-heroku-in-a-java-spring-boot-2-applicat ? – Stefan Falk Dec 29 '18 at 15:12