Trying to set up proper HTTPS with Spring Boot 4

Question

I have a Spring Boot app that was running perfectly fine without HTTPS. Now, I got my SSL certificate for use in the prod environment, and I now want to make all endpoints HTTPS by default.

I have been using Spring Security to configure my pages' access, and this is what I have :

protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers(
                        "/images/**",
                        "/css/**",
                        "/js/**",
                        ....bunch of endpoints....
                        "/").permitAll()
                .anyRequest().authenticated()
                .and()
            .formLogin()
                .loginPage("/login")
                .loginProcessingUrl("/login")
                .failureUrl("/login")
                .permitAll()
                .and()
            .logout()
                .logoutUrl("/logout")
                .clearAuthentication(true)
                .invalidateHttpSession(true)
                .deleteCookies("JSESSIONID", "remember-me")
                .logoutSuccessUrl("/")
                .permitAll()
                .and()
            .exceptionHandling()
                .accessDeniedPage("/error");

I read that you could add this to my config above to force all requests to HTTPS, but I wanted to make sure where it should go so I don't break production :

.requiresChannel().anyRequest().requiresSecure();

I am running my app via AWS Elastic Beanstalk, and the SSL cert is already installed properly on AWS successfully( ready to go ). Just to clarify, the SSL/HTTPS is terminated at the Load Balance and not at the EC2 instance, so this might change the configuration in Spring Boot I guess?

Also, it would be great if I could test out the https with Spring locally on my machine too, but I am not sure how to proceed with that. A lot of the online examples seem pretty complex.

What is everyone's advice on this? Thanks

Answer 1

Yes for enforce HTTPS you need to add following line of code

http.requiresChannel().anyRequest().requiresSecure();

For testing locally you need to install cert in your local and required following config

Enable HTTPS in Spring Boot:

Inside Your application.properties define the following properties:

# Define a custom port instead of the default 8080
server.port = 8089
# Tell Spring Security to require requests over HTTPS
security.require-ssl=true
# The keystore containing the certificate keys
server.ssl.key-store=keystore.jks
# The password used to generate the keys
server.ssl.key-store-password=password
# The alias mapped to the certificate
server.ssl.keyAlias=tomcat

Enable HSTS

HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections,[1] and never via the insecure HTTP protocol.

Strict-Transport-Security: max-age=31536000; includeSubDomains

• https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet
• https://docs.spring.io/spring-security/site/docs/current/reference/html/headers.html