Spring security change redirect URL to use HTTPS instead of HTTP










3















I'm working with a Spring microservice protected with Spring Security SSO login (Using Cloudfoundry UAA).



Microservice when deployed on Cloud is accessible via HTTPS URL. Since HTTPS URL is of the ELB (Load balancer/web server), actual request to microservice from ELB comes on HTTP. So Spring when redirecting the user to login page produces HTTP URL instead of HTTPS URL in 302 Location header.



Following is the flow



Browser
->(https://mymicroservice.com) Unauthenticated request (Load balancer)
->(http://internal_lan_ip:someport) Microservice
-> 302 Location http://mymicroservice.com/login
-> Browser http://mymicroservice.com/login (failed)

In short it goes from HTTPS -> HTTP -> 302 HTTP (failed as ELB doesn't serve on HTTP)


Following is what I have tried



x-forwarded-proto



Since load balancer is also not populating x-forwarded-proto correctly to HTTPS, instead it gives me HTTP, I can't use Spring's support for it.



Require channel HTTPS



It also doesn't work, as it results in infinite redirections from Spring as Spring never receives an HTTPS request from ELB, despite correctly having produced HTTPS redirect URL.



Interceptor/Filter



Use a ServletFilter to check response header Location and if present replace http:// with https://.



Frankly last option is my final option as I do not control the ELB configuration.



Now issue is that I'm unable to intercept the response after spring redirects to /login URL which in turn should redirect to SSO URL.



I have tried various combinations of Interceptors (postHandle, afterCompletion), using Spring security to inject it at various locations in the filter chain and finally setting the filter order to lowest. None of these intercept unauthenticated request after redirection.



@Component
@Order(Ordered.LOWEST_PRECEDENCE)
class RedirectUrlProtocolUpdaterFilter extends OncePerRequestFilter

@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException
String locationHeader = response.getHeader("Location");
System.out.println("############ inside interceptor");

for(String name: response.getHeaderNames())
System.out.println(name + " : " + response.getHeader(name));


if(locationHeader != null && locationHeader.startsWith("http://"))
System.out.println("###################### setting location header");

locationHeader = locationHeader.replaceAll("http://", "https://");
response.setHeader("Location", locationHeader);


filterChain.doFilter(request, response);





How do I correctly intercept the /login redirection by Spring Security in a filter/interceptor and update Location header to include correct protocol?



Any hint is appreciated.










share|improve this question




























    3















    I'm working with a Spring microservice protected with Spring Security SSO login (Using Cloudfoundry UAA).



    Microservice when deployed on Cloud is accessible via HTTPS URL. Since HTTPS URL is of the ELB (Load balancer/web server), actual request to microservice from ELB comes on HTTP. So Spring when redirecting the user to login page produces HTTP URL instead of HTTPS URL in 302 Location header.



    Following is the flow



    Browser
    ->(https://mymicroservice.com) Unauthenticated request (Load balancer)
    ->(http://internal_lan_ip:someport) Microservice
    -> 302 Location http://mymicroservice.com/login
    -> Browser http://mymicroservice.com/login (failed)

    In short it goes from HTTPS -> HTTP -> 302 HTTP (failed as ELB doesn't serve on HTTP)


    Following is what I have tried



    x-forwarded-proto



    Since load balancer is also not populating x-forwarded-proto correctly to HTTPS, instead it gives me HTTP, I can't use Spring's support for it.



    Require channel HTTPS



    It also doesn't work, as it results in infinite redirections from Spring as Spring never receives an HTTPS request from ELB, despite correctly having produced HTTPS redirect URL.



    Interceptor/Filter



    Use a ServletFilter to check response header Location and if present replace http:// with https://.



    Frankly last option is my final option as I do not control the ELB configuration.



    Now issue is that I'm unable to intercept the response after spring redirects to /login URL which in turn should redirect to SSO URL.



    I have tried various combinations of Interceptors (postHandle, afterCompletion), using Spring security to inject it at various locations in the filter chain and finally setting the filter order to lowest. None of these intercept unauthenticated request after redirection.



    @Component
    @Order(Ordered.LOWEST_PRECEDENCE)
    class RedirectUrlProtocolUpdaterFilter extends OncePerRequestFilter

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
    throws ServletException, IOException
    String locationHeader = response.getHeader("Location");
    System.out.println("############ inside interceptor");

    for(String name: response.getHeaderNames())
    System.out.println(name + " : " + response.getHeader(name));


    if(locationHeader != null && locationHeader.startsWith("http://"))
    System.out.println("###################### setting location header");

    locationHeader = locationHeader.replaceAll("http://", "https://");
    response.setHeader("Location", locationHeader);


    filterChain.doFilter(request, response);





    How do I correctly intercept the /login redirection by Spring Security in a filter/interceptor and update Location header to include correct protocol?



    Any hint is appreciated.










    share|improve this question


























      3












      3








      3








      I'm working with a Spring microservice protected with Spring Security SSO login (Using Cloudfoundry UAA).



      Microservice when deployed on Cloud is accessible via HTTPS URL. Since HTTPS URL is of the ELB (Load balancer/web server), actual request to microservice from ELB comes on HTTP. So Spring when redirecting the user to login page produces HTTP URL instead of HTTPS URL in 302 Location header.



      Following is the flow



      Browser
      ->(https://mymicroservice.com) Unauthenticated request (Load balancer)
      ->(http://internal_lan_ip:someport) Microservice
      -> 302 Location http://mymicroservice.com/login
      -> Browser http://mymicroservice.com/login (failed)

      In short it goes from HTTPS -> HTTP -> 302 HTTP (failed as ELB doesn't serve on HTTP)


      Following is what I have tried



      x-forwarded-proto



      Since load balancer is also not populating x-forwarded-proto correctly to HTTPS, instead it gives me HTTP, I can't use Spring's support for it.



      Require channel HTTPS



      It also doesn't work, as it results in infinite redirections from Spring as Spring never receives an HTTPS request from ELB, despite correctly having produced HTTPS redirect URL.



      Interceptor/Filter



      Use a ServletFilter to check response header Location and if present replace http:// with https://.



      Frankly last option is my final option as I do not control the ELB configuration.



      Now issue is that I'm unable to intercept the response after spring redirects to /login URL which in turn should redirect to SSO URL.



      I have tried various combinations of Interceptors (postHandle, afterCompletion), using Spring security to inject it at various locations in the filter chain and finally setting the filter order to lowest. None of these intercept unauthenticated request after redirection.



      @Component
      @Order(Ordered.LOWEST_PRECEDENCE)
      class RedirectUrlProtocolUpdaterFilter extends OncePerRequestFilter

      @Override
      protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
      throws ServletException, IOException
      String locationHeader = response.getHeader("Location");
      System.out.println("############ inside interceptor");

      for(String name: response.getHeaderNames())
      System.out.println(name + " : " + response.getHeader(name));


      if(locationHeader != null && locationHeader.startsWith("http://"))
      System.out.println("###################### setting location header");

      locationHeader = locationHeader.replaceAll("http://", "https://");
      response.setHeader("Location", locationHeader);


      filterChain.doFilter(request, response);





      How do I correctly intercept the /login redirection by Spring Security in a filter/interceptor and update Location header to include correct protocol?



      Any hint is appreciated.










      share|improve this question
















      I'm working with a Spring microservice protected with Spring Security SSO login (Using Cloudfoundry UAA).



      Microservice when deployed on Cloud is accessible via HTTPS URL. Since HTTPS URL is of the ELB (Load balancer/web server), actual request to microservice from ELB comes on HTTP. So Spring when redirecting the user to login page produces HTTP URL instead of HTTPS URL in 302 Location header.



      Following is the flow



      Browser
      ->(https://mymicroservice.com) Unauthenticated request (Load balancer)
      ->(http://internal_lan_ip:someport) Microservice
      -> 302 Location http://mymicroservice.com/login
      -> Browser http://mymicroservice.com/login (failed)

      In short it goes from HTTPS -> HTTP -> 302 HTTP (failed as ELB doesn't serve on HTTP)


      Following is what I have tried



      x-forwarded-proto



      Since load balancer is also not populating x-forwarded-proto correctly to HTTPS, instead it gives me HTTP, I can't use Spring's support for it.



      Require channel HTTPS



      It also doesn't work, as it results in infinite redirections from Spring as Spring never receives an HTTPS request from ELB, despite correctly having produced HTTPS redirect URL.



      Interceptor/Filter



      Use a ServletFilter to check response header Location and if present replace http:// with https://.



      Frankly last option is my final option as I do not control the ELB configuration.



      Now issue is that I'm unable to intercept the response after spring redirects to /login URL which in turn should redirect to SSO URL.



      I have tried various combinations of Interceptors (postHandle, afterCompletion), using Spring security to inject it at various locations in the filter chain and finally setting the filter order to lowest. None of these intercept unauthenticated request after redirection.



      @Component
      @Order(Ordered.LOWEST_PRECEDENCE)
      class RedirectUrlProtocolUpdaterFilter extends OncePerRequestFilter

      @Override
      protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
      throws ServletException, IOException
      String locationHeader = response.getHeader("Location");
      System.out.println("############ inside interceptor");

      for(String name: response.getHeaderNames())
      System.out.println(name + " : " + response.getHeader(name));


      if(locationHeader != null && locationHeader.startsWith("http://"))
      System.out.println("###################### setting location header");

      locationHeader = locationHeader.replaceAll("http://", "https://");
      response.setHeader("Location", locationHeader);


      filterChain.doFilter(request, response);





      How do I correctly intercept the /login redirection by Spring Security in a filter/interceptor and update Location header to include correct protocol?



      Any hint is appreciated.







      java spring spring-security






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 10 '18 at 22:36







      11thdimension

















      asked Jan 5 '18 at 18:47









      11thdimension11thdimension

      7,47211235




      7,47211235






















          2 Answers
          2






          active

          oldest

          votes


















          0














          If you want to update Location header info you can try to use an HttpResponseInterceptor.



          This is an example of use from google HttpResponseInterceptor:
          https://developers.google.com/api-client-library/java/google-http-java-client/reference/1.20.0/com/google/api/client/http/HttpResponseInterceptor



          Other option is from Apache:
          https://hc.apache.org/httpcomponents-core-ga/httpcore/apidocs/org/apache/http/class-use/HttpResponseInterceptor.html






          share|improve this answer






























            0














            SpringFramework provides the HandlerInterceptor. This will intercept all http request, but can be used to constantly check for authentication and authorization. You will have to provide implementations for 3 methods (if you don't use them just implement an empty method). You can then put your code in the preHandle method.



            public class AuthenticationInterceptor implements HandlerInterceptor 

            @Override
            public boolean preHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o) throws Exception


            @Override
            public void postHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, ModelAndView modelAndView) throws Exception


            @Override
            public void afterCompletion(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, Exception e) throws Exception







            share|improve this answer
























              Your Answer






              StackExchange.ifUsing("editor", function ()
              StackExchange.using("externalEditor", function ()
              StackExchange.using("snippets", function ()
              StackExchange.snippets.init();
              );
              );
              , "code-snippets");

              StackExchange.ready(function()
              var channelOptions =
              tags: "".split(" "),
              id: "1"
              ;
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function()
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled)
              StackExchange.using("snippets", function()
              createEditor();
              );

              else
              createEditor();

              );

              function createEditor()
              StackExchange.prepareEditor(
              heartbeatType: 'answer',
              autoActivateHeartbeat: false,
              convertImagesToLinks: true,
              noModals: true,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: 10,
              bindNavPrevention: true,
              postfix: "",
              imageUploader:
              brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
              contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
              allowUrls: true
              ,
              onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              );



              );













              draft saved

              draft discarded


















              StackExchange.ready(
              function ()
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f48119553%2fspring-security-change-redirect-url-to-use-https-instead-of-http%23new-answer', 'question_page');

              );

              Post as a guest















              Required, but never shown

























              2 Answers
              2






              active

              oldest

              votes








              2 Answers
              2






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes









              0














              If you want to update Location header info you can try to use an HttpResponseInterceptor.



              This is an example of use from google HttpResponseInterceptor:
              https://developers.google.com/api-client-library/java/google-http-java-client/reference/1.20.0/com/google/api/client/http/HttpResponseInterceptor



              Other option is from Apache:
              https://hc.apache.org/httpcomponents-core-ga/httpcore/apidocs/org/apache/http/class-use/HttpResponseInterceptor.html






              share|improve this answer



























                0














                If you want to update Location header info you can try to use an HttpResponseInterceptor.



                This is an example of use from google HttpResponseInterceptor:
                https://developers.google.com/api-client-library/java/google-http-java-client/reference/1.20.0/com/google/api/client/http/HttpResponseInterceptor



                Other option is from Apache:
                https://hc.apache.org/httpcomponents-core-ga/httpcore/apidocs/org/apache/http/class-use/HttpResponseInterceptor.html






                share|improve this answer

























                  0












                  0








                  0







                  If you want to update Location header info you can try to use an HttpResponseInterceptor.



                  This is an example of use from google HttpResponseInterceptor:
                  https://developers.google.com/api-client-library/java/google-http-java-client/reference/1.20.0/com/google/api/client/http/HttpResponseInterceptor



                  Other option is from Apache:
                  https://hc.apache.org/httpcomponents-core-ga/httpcore/apidocs/org/apache/http/class-use/HttpResponseInterceptor.html






                  share|improve this answer













                  If you want to update Location header info you can try to use an HttpResponseInterceptor.



                  This is an example of use from google HttpResponseInterceptor:
                  https://developers.google.com/api-client-library/java/google-http-java-client/reference/1.20.0/com/google/api/client/http/HttpResponseInterceptor



                  Other option is from Apache:
                  https://hc.apache.org/httpcomponents-core-ga/httpcore/apidocs/org/apache/http/class-use/HttpResponseInterceptor.html







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Apr 19 '18 at 18:28









                  Rafa blancoRafa blanco

                  1




                  1























                      0














                      SpringFramework provides the HandlerInterceptor. This will intercept all http request, but can be used to constantly check for authentication and authorization. You will have to provide implementations for 3 methods (if you don't use them just implement an empty method). You can then put your code in the preHandle method.



                      public class AuthenticationInterceptor implements HandlerInterceptor 

                      @Override
                      public boolean preHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o) throws Exception


                      @Override
                      public void postHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, ModelAndView modelAndView) throws Exception


                      @Override
                      public void afterCompletion(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, Exception e) throws Exception







                      share|improve this answer





























                        0














                        SpringFramework provides the HandlerInterceptor. This will intercept all http request, but can be used to constantly check for authentication and authorization. You will have to provide implementations for 3 methods (if you don't use them just implement an empty method). You can then put your code in the preHandle method.



                        public class AuthenticationInterceptor implements HandlerInterceptor 

                        @Override
                        public boolean preHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o) throws Exception


                        @Override
                        public void postHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, ModelAndView modelAndView) throws Exception


                        @Override
                        public void afterCompletion(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, Exception e) throws Exception







                        share|improve this answer



























                          0












                          0








                          0







                          SpringFramework provides the HandlerInterceptor. This will intercept all http request, but can be used to constantly check for authentication and authorization. You will have to provide implementations for 3 methods (if you don't use them just implement an empty method). You can then put your code in the preHandle method.



                          public class AuthenticationInterceptor implements HandlerInterceptor 

                          @Override
                          public boolean preHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o) throws Exception


                          @Override
                          public void postHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, ModelAndView modelAndView) throws Exception


                          @Override
                          public void afterCompletion(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, Exception e) throws Exception







                          share|improve this answer















                          SpringFramework provides the HandlerInterceptor. This will intercept all http request, but can be used to constantly check for authentication and authorization. You will have to provide implementations for 3 methods (if you don't use them just implement an empty method). You can then put your code in the preHandle method.



                          public class AuthenticationInterceptor implements HandlerInterceptor 

                          @Override
                          public boolean preHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o) throws Exception


                          @Override
                          public void postHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, ModelAndView modelAndView) throws Exception


                          @Override
                          public void afterCompletion(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, Exception e) throws Exception








                          share|improve this answer














                          share|improve this answer



                          share|improve this answer








                          edited Nov 13 '18 at 18:08









                          AS Mackay

                          1,9854819




                          1,9854819










                          answered Nov 13 '18 at 17:45









                          BuffChuckBuffChuck

                          12




                          12



























                              draft saved

                              draft discarded
















































                              Thanks for contributing an answer to Stack Overflow!


                              • Please be sure to answer the question. Provide details and share your research!

                              But avoid


                              • Asking for help, clarification, or responding to other answers.

                              • Making statements based on opinion; back them up with references or personal experience.

                              To learn more, see our tips on writing great answers.




                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function ()
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f48119553%2fspring-security-change-redirect-url-to-use-https-instead-of-http%23new-answer', 'question_page');

                              );

                              Post as a guest















                              Required, but never shown





















































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown

































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown







                              這個網誌中的熱門文章

                              How to read a connectionString WITH PROVIDER in .NET Core?

                              Node.js Script on GitHub Pages or Amazon S3

                              Museum of Modern and Contemporary Art of Trento and Rovereto