stackoom
  简体   繁体   中英

Disable spring security https redirecting

 原文  2018-05-03 09:20:24       java/ spring/ tomcat/ https

Question

I am working on a web application and configured ssl certificate to run on https in Tomcat. 

<Connector port="8080" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true" clientAuth="false" keystoreFile="conf/expchannel.pfx" keystorePass="***" keystoreType="PKCS12">

For some reasons, client wants to run it on 8080 port. Should not matter.

The problem is with Spring security login interceptor. Once it gets the request, it automatically redirects to login page, but for unknown reason it uses 8443 port, which will never be served (ends with timeout)

Configuration: 

<security:http auto-config="true" use-expressions="true">   
    <security:csrf disabled="true"/>
    <!-- Other pages only autenticated  -->
    <security:intercept-url pattern="/pages/userManagement.xhtml" access="hasRole('ROLE_ADMIN')" />
    <security:intercept-url pattern="/pages/performanceMonitoring.xhtml" access="hasRole('ROLE_ADMIN')" />
    <security:intercept-url pattern="/pages/**" access="hasRole('ROLE_USER')" />

    <security:session-management invalid-session-url="/sessionExpired.xhtml">
    </security:session-management>

    <!-- Set the login page and what to do if login fails -->
    <security:form-login login-page="/login.xhtml" authentication-failure-url="/loginFail.xhtml" 
        default-target-url="/pages/statusOverview.xhtml" />
    <security:csrf/>
</security:http>

The other application instance, running on 7080 port does not have this problem, I guess there is some kind of hidden default behavior to change port exactly from 8080 -> 8443 in case of https request.

Is there a way to disable this behavior? I was looking for the answer but I didnt found any. The only solution I found was setting http and https ports explicitly in spring configuration which doesnt seem right to me. I want it configurable on tomcat config, not individually for each web application.

Thanks for any help.

1 answers

solution1
 0  2018-05-06 13:44:55

You need to set secure="true" on that connector along with scheme="https" .

Note that using port 8080 for secure-HTTP is like using port 80 for plaintext HTTP: surprising .

The value 8443 is coming from Tomcat's default redirectPort setting on the connector: Tomcat (or possibly Spring) is redirecting the user to what it thinks is the "secure" connector because all logins should be performed over TLS.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Spring security is not redirecting as expected Spring security https authentication Spring-security /login redirecting Spring Security always redirecting to failureUrl() Spring Security - disable security dynamically Spring Security disable method security Disable Spring Security Logging Spring Security Config Https issue Spring Security And Angular 6 HTTPS requests Cannot stop Spring redirecting https to http
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM