Spring security redirection URL using HTTP while HTTPS required

0
votes

My project architecture consists of a load balancer which is configured with SSL. The SSL configuration terminates at load balancer and the request is forwarded to WebServer and AppServer at HTTP. When user first accesses the application, Spring Security tries to redirect to login page using HTTP protocol. Since the load balancer listens at HTTPS, this request fails.

What can I do to ensure that Spring Security uses HTTPS protocol when creating redirect requests considering WebServer will always forward to AppServer on HTTP?

Note: AppServer is Jboss EAP 7.3

2
spring-bootapachespring-securityjboss
tomgregory.com/… - Boris the Spider

2 Answers

1
votes

Normally, the simple http to https redirect makes the user take an extra hop as they will come back in http and then need to be redirected. That can be painless (especially is you are using HSTS). Normally, the way this is done from the BIG-IP standpoint is to insert a header of X-Forwarded-Proto (xfp) of https (you can check that the source is using https in an iRule or use a policy to insert the header).

The other part is to have Spring look at the xfp header rather that the server URL to make the determination the request was using https.

Have you also tried to eliminate any host or protocol name on your redirects? We have had good luck with relative references to any redirects, but I still see some apps sending out a 302 redirect with http which the redirect iRule then bounces back to https.

0
votes

I was unable to figure out how to do this from Spring boot for the current architecture. As a workaround, we added an IRule on LoadBalancer which instead of rejecting http requests, redirected them to HTTPS.