How to enable HTTPS only on Spring
Question
I found this:
<security:http auto-config="true">
<security:form-login .../>
<security:logout .../>
<security:intercept-url pattern="/reports" access="ROLE_ADMIN" requires-channel="https"/>
<security:intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" requires-channel="https"/>
<security:intercept-url pattern="/**" access="ROLE_USER" requires-channel="https"/>
</security:http>
From my understanding we have to place this in web.xml, but we aren't using web.xml, we are using the java configuration. How can I achieve this? Is there anything I can perhaps add in application.properties?
1 answers
solution1
0 2016-08-19 10:09:24
What you are showing is a spring security file. Spring security can be configured either using an XML file (like the one you're showing) or through Java configuration (see here: http://docs.spring.io/spring-security/site/docs/current/reference/html/jc.html ).
However your question is: can I enable HTTPS only.
You can also do that through other ways. In Tomcat for example you can do that by configuring server.xml ( http://www.itworld.com/article/2769041/development/how-to-configure-tomcat-to-always-require-https.html and https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html ).
There are similar ways for other JavaEE servers.
You can also use a SecurityConstraint in your web.xml (or Java based Web config) so that it defines CONFIDENTIAL or INTEGRAL like in (XML fragment but you can do it via Java based config):
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.