Rob Winch
6 years ago
8 changed files with 123 additions and 41 deletions
@ -0,0 +1,32 @@
@@ -0,0 +1,32 @@
|
||||
[[http]] |
||||
= HTTP |
||||
|
||||
All HTTP based communication, including https://www.troyhunt.com/heres-why-your-static-website-needs-https/[static resources], should be protected https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html[using TLS]. |
||||
|
||||
As a framework, Spring Security does not handle HTTP connections and thus does not provide support for HTTPS directly. |
||||
However, it does provide a number of features that help with HTTPS usage. |
||||
|
||||
[[http-redirect]] |
||||
== Redirect to HTTPS |
||||
|
||||
When a client uses HTTP, Spring Security can be configured to redirect to HTTPS both <<servlet-http-redirect,Servlet>> and <<webflux-http-redirect,WebFlux>> environments. |
||||
|
||||
[[http-hsts]] |
||||
== Strict Transport Security |
||||
|
||||
Spring Security provides support for <<headers-hsts,Strict Transport Security>> and enables it by default. |
||||
|
||||
[[http-proxy-server]] |
||||
== Proxy Server Configuration |
||||
|
||||
When using a proxy server it is important to ensure that you have configured your application properly. |
||||
For example, many applications will have a load balancer that responds to request for https://example.com/ by forwarding the request to an application server at https://192.168.1:8080 |
||||
Without proper configuration, the application server will not know that the load balancer exists and treat the request as though https://192.168.1:8080 was requested by the client. |
||||
|
||||
To fix this you can use https://tools.ietf.org/html/rfc7239[RFC 7239] to specify that a load balancer is being used. |
||||
To make the application aware of this, you need to either configure your application server aware of the X-Forwarded headers. |
||||
For example Tomcat uses the https://tomcat.apache.org/tomcat-8.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html[RemoteIpValve] and Jetty uses https://download.eclipse.org/jetty/stable-9/apidocs/org/eclipse/jetty/server/ForwardedRequestCustomizer.html[ForwardedRequestCustomizer]. |
||||
Alternatively, Spring users can leverage https://github.com/spring-projects/spring-framework/blob/v4.3.3.RELEASE/spring-web/src/main/java/org/springframework/web/filter/ForwardedHeaderFilter.java[ForwardedHeaderFilter]. |
||||
|
||||
Spring Boot users may use the `server.use-forward-headers` property to configure the application. |
||||
See the https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#howto-use-tomcat-behind-a-proxy-server[Spring Boot documentation] for further details. |
||||
@ -1,33 +0,0 @@
@@ -1,33 +0,0 @@
|
||||
[[ns-requires-channel]] |
||||
= HTTPS |
||||
|
||||
== Adding HTTP/HTTPS Channel Security |
||||
If your application supports both HTTP and HTTPS, and you require that particular URLs can only be accessed over HTTPS, then this is directly supported using the `requires-channel` attribute on `<intercept-url>`: |
||||
|
||||
[source,xml] |
||||
---- |
||||
<http> |
||||
<intercept-url pattern="/secure/**" access="ROLE_USER" requires-channel="https"/> |
||||
<intercept-url pattern="/**" access="ROLE_USER" requires-channel="any"/> |
||||
... |
||||
</http> |
||||
---- |
||||
|
||||
With this configuration in place, if a user attempts to access anything matching the "/secure/**" pattern using HTTP, they will first be redirected to an HTTPS URL footnote:[For more details on how channel-processing is implemented, see the Javadoc for `ChannelProcessingFilter` and related classes.]. |
||||
The available options are "http", "https" or "any". |
||||
Using the value "any" means that either HTTP or HTTPS can be used. |
||||
|
||||
If your application uses non-standard ports for HTTP and/or HTTPS, you can specify a list of port mappings as follows: |
||||
|
||||
[source,xml] |
||||
---- |
||||
<http> |
||||
... |
||||
<port-mappings> |
||||
<port-mapping http="9080" https="9443"/> |
||||
</port-mappings> |
||||
</http> |
||||
---- |
||||
|
||||
Note that in order to be truly secure, an application should not use HTTP at all or switch between HTTP and HTTPS. |
||||
It should start in HTTPS (with the user entering an HTTPS URL) and use a secure connection throughout to avoid any possibility of man-in-the-middle attacks. |
||||
@ -0,0 +1,59 @@
@@ -0,0 +1,59 @@
|
||||
[[servlet-http]] |
||||
= HTTP |
||||
|
||||
All HTTP based communication should be protected <<http,using TLS>>. |
||||
|
||||
Below you can find details around Servlet specific features that assist with HTTPS usage. |
||||
|
||||
[[servlet-http-redirect]] |
||||
== Redirect to HTTPS |
||||
|
||||
If a client makes a request using HTTP rather than HTTPS, Spring Security can be configured to redirect to HTTPS. |
||||
|
||||
For example, the following Java configuration will redirect any HTTP requests to HTTPS: |
||||
|
||||
.Redirect to HTTPS with Java Configuration |
||||
==== |
||||
[source,java] |
||||
---- |
||||
@Configuration |
||||
@EnableWebSecurity |
||||
public class WebSecurityConfig extends |
||||
WebSecurityConfigurerAdapter { |
||||
|
||||
@Override |
||||
protected void configure(HttpSecurity http) { |
||||
http |
||||
// ... |
||||
.requiresChannel(channel -> |
||||
channel |
||||
.anyRequest().requiresSecure() |
||||
); |
||||
} |
||||
} |
||||
---- |
||||
==== |
||||
|
||||
The following XML configuration will redirect all HTTP requests to HTTPS |
||||
|
||||
.Redirect to HTTPS with XML Configuration |
||||
==== |
||||
[source,xml] |
||||
---- |
||||
<http> |
||||
<intercept-url pattern="/**" access="ROLE_USER" requires-channel="https"/> |
||||
... |
||||
</http> |
||||
---- |
||||
==== |
||||
|
||||
|
||||
[[servlet-hsts]] |
||||
== Strict Transport Security |
||||
|
||||
Spring Security provides support for <<servlet-headers-hsts,Strict Transport Security>> and enables it by default. |
||||
|
||||
[[servlet-http-proxy-server]] |
||||
== Proxy Server Configuration |
||||
|
||||
Spring Security <<http-proxy-servers,integrates with proxy servers>>. |
||||
Loading…
Reference in new issue