stackoom
  简体   繁体   中英

Cannot stop Spring redirecting https to http

 原文  2017-07-16 11:59:58       java/ spring/ redirect/ nginx/ spring-security

Question

I'm developing project on a Spring Security and everything was going fine until I loaded my project to a production server. I have only http on my local machine but there is https on a production server.

And I faced an error (in case of login error): 

Mixed Content: The page at 'https://my.production.com/login' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://my.production.com/api/login?error=bad-credentials'. This request has been blocked; the content must be served over HTTPS.

and (in case of success login): 

Mixed Content: The page at 'https://my.production.com/login' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://my.production.com/authorities'. This request has been blocked; the content must be served over HTTPS.

I asked my vendor about this issue but they say that " There is no https between you app and nginx, so this is your app problem "...

I tried this , but this solution looks very weird and doesn't solve problem (It requires adding a lot of configuration classes and I guess it shouldn't be so hard). Actually I'm very confused how can this happen, why isn't it the default behavior to redirect to the schema that the request was made...

Also I tried adding this to my Spring Security config: 

 .and().requiresChannel().anyRequest().requiresSecure()

but this only causes ERR_TOO_MANY_REDIRECTS on my local machine and on a production server...

This didn't help too: 

http.portMapper()
                .http(8080).mapsTo(8443);

I'm not using Spring boot, but also tried this , no help.

Success authentication configuration looks like this: 

SavedRequestAwareAuthenticationSuccessHandler successHandler = new
                SavedRequestAwareAuthenticationSuccessHandler();
        successHandler.setDefaultTargetUrl(env.getProperty("app.authenticationSuccessUrl"));

1 answers

solution1
 1 ACCPTED  2017-07-17 09:22:24

When Apache Tomcat is running behind a HTTPS (reverse) proxy, there may be some configuration required for links and redirects to work properly.

Open conf/ server.xml , find the Connector element, add the following attributes if not already present:

  • proxyName - set to your domain name.
  • proxyPort - set it to 443 if you are using the standard https port.
  • scheme - set to "https" if site is accessed with https.
  • secure - set to "true" for https. 
<Connector proxyName="my.production.com" proxyPort="443" scheme="https" secure="true" ...>

Reference: Apache Tomcat 7: The HTTP Connector

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Spring Redirecting from Http to Https Breaks Rest Controller Test HTTP not redirecting to HTTPS (SpringBoot) Disable spring security https redirecting Redirecting http to https when http port is blocked Spring Security 3.1.0 - Cannot switch from HTTPS to HTTP Spring Controller on HTTPS and HTTP Jetty redirecting HTTP to HTTPS Fails outside IDE redirecting HTTP to HTTPS using filter not working struts2 forcefully redirecting https url to http Spring webflux: redirect http to https
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM