Rob Winch
6 years ago
8 changed files with 123 additions and 41 deletions
@ -0,0 +1,32 @@ |
|||||||
|
[[http]] |
||||||
|
= HTTP |
||||||
|
|
||||||
|
All HTTP based communication, including https://www.troyhunt.com/heres-why-your-static-website-needs-https/[static resources], should be protected https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html[using TLS]. |
||||||
|
|
||||||
|
As a framework, Spring Security does not handle HTTP connections and thus does not provide support for HTTPS directly. |
||||||
|
However, it does provide a number of features that help with HTTPS usage. |
||||||
|
|
||||||
|
[[http-redirect]] |
||||||
|
== Redirect to HTTPS |
||||||
|
|
||||||
|
When a client uses HTTP, Spring Security can be configured to redirect to HTTPS both <<servlet-http-redirect,Servlet>> and <<webflux-http-redirect,WebFlux>> environments. |
||||||
|
|
||||||
|
[[http-hsts]] |
||||||
|
== Strict Transport Security |
||||||
|
|
||||||
|
Spring Security provides support for <<headers-hsts,Strict Transport Security>> and enables it by default. |
||||||
|
|
||||||
|
[[http-proxy-server]] |
||||||
|
== Proxy Server Configuration |
||||||
|
|
||||||
|
When using a proxy server it is important to ensure that you have configured your application properly. |
||||||
|
For example, many applications will have a load balancer that responds to request for https://example.com/ by forwarding the request to an application server at https://192.168.1:8080 |
||||||
|
Without proper configuration, the application server will not know that the load balancer exists and treat the request as though https://192.168.1:8080 was requested by the client. |
||||||
|
|
||||||
|
To fix this you can use https://tools.ietf.org/html/rfc7239[RFC 7239] to specify that a load balancer is being used. |
||||||
|
To make the application aware of this, you need to either configure your application server aware of the X-Forwarded headers. |
||||||
|
For example Tomcat uses the https://tomcat.apache.org/tomcat-8.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html[RemoteIpValve] and Jetty uses https://download.eclipse.org/jetty/stable-9/apidocs/org/eclipse/jetty/server/ForwardedRequestCustomizer.html[ForwardedRequestCustomizer]. |
||||||
|
Alternatively, Spring users can leverage https://github.com/spring-projects/spring-framework/blob/v4.3.3.RELEASE/spring-web/src/main/java/org/springframework/web/filter/ForwardedHeaderFilter.java[ForwardedHeaderFilter]. |
||||||
|
|
||||||
|
Spring Boot users may use the `server.use-forward-headers` property to configure the application. |
||||||
|
See the https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#howto-use-tomcat-behind-a-proxy-server[Spring Boot documentation] for further details. |
||||||
@ -1,33 +0,0 @@ |
|||||||
[[ns-requires-channel]] |
|
||||||
= HTTPS |
|
||||||
|
|
||||||
== Adding HTTP/HTTPS Channel Security |
|
||||||
If your application supports both HTTP and HTTPS, and you require that particular URLs can only be accessed over HTTPS, then this is directly supported using the `requires-channel` attribute on `<intercept-url>`: |
|
||||||
|
|
||||||
[source,xml] |
|
||||||
---- |
|
||||||
<http> |
|
||||||
<intercept-url pattern="/secure/**" access="ROLE_USER" requires-channel="https"/> |
|
||||||
<intercept-url pattern="/**" access="ROLE_USER" requires-channel="any"/> |
|
||||||
... |
|
||||||
</http> |
|
||||||
---- |
|
||||||
|
|
||||||
With this configuration in place, if a user attempts to access anything matching the "/secure/**" pattern using HTTP, they will first be redirected to an HTTPS URL footnote:[For more details on how channel-processing is implemented, see the Javadoc for `ChannelProcessingFilter` and related classes.]. |
|
||||||
The available options are "http", "https" or "any". |
|
||||||
Using the value "any" means that either HTTP or HTTPS can be used. |
|
||||||
|
|
||||||
If your application uses non-standard ports for HTTP and/or HTTPS, you can specify a list of port mappings as follows: |
|
||||||
|
|
||||||
[source,xml] |
|
||||||
---- |
|
||||||
<http> |
|
||||||
... |
|
||||||
<port-mappings> |
|
||||||
<port-mapping http="9080" https="9443"/> |
|
||||||
</port-mappings> |
|
||||||
</http> |
|
||||||
---- |
|
||||||
|
|
||||||
Note that in order to be truly secure, an application should not use HTTP at all or switch between HTTP and HTTPS. |
|
||||||
It should start in HTTPS (with the user entering an HTTPS URL) and use a secure connection throughout to avoid any possibility of man-in-the-middle attacks. |
|
||||||
@ -0,0 +1,59 @@ |
|||||||
|
[[servlet-http]] |
||||||
|
= HTTP |
||||||
|
|
||||||
|
All HTTP based communication should be protected <<http,using TLS>>. |
||||||
|
|
||||||
|
Below you can find details around Servlet specific features that assist with HTTPS usage. |
||||||
|
|
||||||
|
[[servlet-http-redirect]] |
||||||
|
== Redirect to HTTPS |
||||||
|
|
||||||
|
If a client makes a request using HTTP rather than HTTPS, Spring Security can be configured to redirect to HTTPS. |
||||||
|
|
||||||
|
For example, the following Java configuration will redirect any HTTP requests to HTTPS: |
||||||
|
|
||||||
|
.Redirect to HTTPS with Java Configuration |
||||||
|
==== |
||||||
|
[source,java] |
||||||
|
---- |
||||||
|
@Configuration |
||||||
|
@EnableWebSecurity |
||||||
|
public class WebSecurityConfig extends |
||||||
|
WebSecurityConfigurerAdapter { |
||||||
|
|
||||||
|
@Override |
||||||
|
protected void configure(HttpSecurity http) { |
||||||
|
http |
||||||
|
// ... |
||||||
|
.requiresChannel(channel -> |
||||||
|
channel |
||||||
|
.anyRequest().requiresSecure() |
||||||
|
); |
||||||
|
} |
||||||
|
} |
||||||
|
---- |
||||||
|
==== |
||||||
|
|
||||||
|
The following XML configuration will redirect all HTTP requests to HTTPS |
||||||
|
|
||||||
|
.Redirect to HTTPS with XML Configuration |
||||||
|
==== |
||||||
|
[source,xml] |
||||||
|
---- |
||||||
|
<http> |
||||||
|
<intercept-url pattern="/**" access="ROLE_USER" requires-channel="https"/> |
||||||
|
... |
||||||
|
</http> |
||||||
|
---- |
||||||
|
==== |
||||||
|
|
||||||
|
|
||||||
|
[[servlet-hsts]] |
||||||
|
== Strict Transport Security |
||||||
|
|
||||||
|
Spring Security provides support for <<servlet-headers-hsts,Strict Transport Security>> and enables it by default. |
||||||
|
|
||||||
|
[[servlet-http-proxy-server]] |
||||||
|
== Proxy Server Configuration |
||||||
|
|
||||||
|
Spring Security <<http-proxy-servers,integrates with proxy servers>>. |
||||||
Loading…
Reference in new issue