Spring security change redirect URL to use HTTPS instead of HTTP
I'm working with a Spring microservice protected with Spring Security SSO login (Using Cloudfoundry UAA).
Microservice when deployed on Cloud is accessible via HTTPS URL. Since HTTPS URL is of the ELB (Load balancer/web server), actual request to microservice from ELB comes on HTTP. So Spring when redirecting the user to login page produces HTTP URL instead of HTTPS URL in 302 Location header.
Following is the flow
Browser
->(https://mymicroservice.com) Unauthenticated request (Load balancer)
->(http://internal_lan_ip:someport) Microservice
-> 302 Location http://mymicroservice.com/login
-> Browser http://mymicroservice.com/login (failed)
In short it goes from HTTPS -> HTTP -> 302 HTTP (failed as ELB doesn't serve on HTTP)
Following is what I have tried
x-forwarded-proto
Since load balancer is also not populating x-forwarded-proto correctly to HTTPS, instead it gives me HTTP, I can't use Spring's support for it.
Require channel HTTPS
It also doesn't work, as it results in infinite redirections from Spring as Spring never receives an HTTPS request from ELB, despite correctly having produced HTTPS redirect URL.
Interceptor/Filter
Use a ServletFilter to check response header Location and if present replace http:// with https://.
Frankly last option is my final option as I do not control the ELB configuration.
Now issue is that I'm unable to intercept the response after spring redirects to /login URL which in turn should redirect to SSO URL.
I have tried various combinations of Interceptors (postHandle, afterCompletion), using Spring security to inject it at various locations in the filter chain and finally setting the filter order to lowest. None of these intercept unauthenticated request after redirection.
@Component
@Order(Ordered.LOWEST_PRECEDENCE)
class RedirectUrlProtocolUpdaterFilter extends OncePerRequestFilter
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException
String locationHeader = response.getHeader("Location");
System.out.println("############ inside interceptor");
for(String name: response.getHeaderNames())
System.out.println(name + " : " + response.getHeader(name));
if(locationHeader != null && locationHeader.startsWith("http://"))
System.out.println("###################### setting location header");
locationHeader = locationHeader.replaceAll("http://", "https://");
response.setHeader("Location", locationHeader);
filterChain.doFilter(request, response);
How do I correctly intercept the /login redirection by Spring Security in a filter/interceptor and update Location header to include correct protocol?
Any hint is appreciated.
java spring spring-security
asked Jan 5 '18 at 18:47
11thdimension11thdimension
7,47211235
add a comment |
I'm working with a Spring microservice protected with Spring Security SSO login (Using Cloudfoundry UAA).
Microservice when deployed on Cloud is accessible via HTTPS URL. Since HTTPS URL is of the ELB (Load balancer/web server), actual request to microservice from ELB comes on HTTP. So Spring when redirecting the user to login page produces HTTP URL instead of HTTPS URL in 302 Location header.
Following is the flow
Browser
->(https://mymicroservice.com) Unauthenticated request (Load balancer)
->(http://internal_lan_ip:someport) Microservice
-> 302 Location http://mymicroservice.com/login
-> Browser http://mymicroservice.com/login (failed)
In short it goes from HTTPS -> HTTP -> 302 HTTP (failed as ELB doesn't serve on HTTP)
Following is what I have tried
x-forwarded-proto
Since load balancer is also not populating x-forwarded-proto correctly to HTTPS, instead it gives me HTTP, I can't use Spring's support for it.
Require channel HTTPS
It also doesn't work, as it results in infinite redirections from Spring as Spring never receives an HTTPS request from ELB, despite correctly having produced HTTPS redirect URL.
Interceptor/Filter
Use a ServletFilter to check response header Location and if present replace http:// with https://.
Frankly last option is my final option as I do not control the ELB configuration.
Now issue is that I'm unable to intercept the response after spring redirects to /login URL which in turn should redirect to SSO URL.
I have tried various combinations of Interceptors (postHandle, afterCompletion), using Spring security to inject it at various locations in the filter chain and finally setting the filter order to lowest. None of these intercept unauthenticated request after redirection.
@Component
@Order(Ordered.LOWEST_PRECEDENCE)
class RedirectUrlProtocolUpdaterFilter extends OncePerRequestFilter
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException
String locationHeader = response.getHeader("Location");
System.out.println("############ inside interceptor");
for(String name: response.getHeaderNames())
System.out.println(name + " : " + response.getHeader(name));
if(locationHeader != null && locationHeader.startsWith("http://"))
System.out.println("###################### setting location header");
locationHeader = locationHeader.replaceAll("http://", "https://");
response.setHeader("Location", locationHeader);
filterChain.doFilter(request, response);
How do I correctly intercept the /login redirection by Spring Security in a filter/interceptor and update Location header to include correct protocol?
Any hint is appreciated.
java spring spring-security
asked Jan 5 '18 at 18:47
11thdimension11thdimension
7,47211235
add a comment |
I'm working with a Spring microservice protected with Spring Security SSO login (Using Cloudfoundry UAA).
Microservice when deployed on Cloud is accessible via HTTPS URL. Since HTTPS URL is of the ELB (Load balancer/web server), actual request to microservice from ELB comes on HTTP. So Spring when redirecting the user to login page produces HTTP URL instead of HTTPS URL in 302 Location header.
Following is the flow
Browser
->(https://mymicroservice.com) Unauthenticated request (Load balancer)
->(http://internal_lan_ip:someport) Microservice
-> 302 Location http://mymicroservice.com/login
-> Browser http://mymicroservice.com/login (failed)
In short it goes from HTTPS -> HTTP -> 302 HTTP (failed as ELB doesn't serve on HTTP)
Following is what I have tried
x-forwarded-proto
Since load balancer is also not populating x-forwarded-proto correctly to HTTPS, instead it gives me HTTP, I can't use Spring's support for it.
Require channel HTTPS
It also doesn't work, as it results in infinite redirections from Spring as Spring never receives an HTTPS request from ELB, despite correctly having produced HTTPS redirect URL.
Interceptor/Filter
Use a ServletFilter to check response header Location and if present replace http:// with https://.
Frankly last option is my final option as I do not control the ELB configuration.
Now issue is that I'm unable to intercept the response after spring redirects to /login URL which in turn should redirect to SSO URL.
I have tried various combinations of Interceptors (postHandle, afterCompletion), using Spring security to inject it at various locations in the filter chain and finally setting the filter order to lowest. None of these intercept unauthenticated request after redirection.
@Component
@Order(Ordered.LOWEST_PRECEDENCE)
class RedirectUrlProtocolUpdaterFilter extends OncePerRequestFilter
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException
String locationHeader = response.getHeader("Location");
System.out.println("############ inside interceptor");
for(String name: response.getHeaderNames())
System.out.println(name + " : " + response.getHeader(name));
if(locationHeader != null && locationHeader.startsWith("http://"))
System.out.println("###################### setting location header");
locationHeader = locationHeader.replaceAll("http://", "https://");
response.setHeader("Location", locationHeader);
filterChain.doFilter(request, response);
How do I correctly intercept the /login redirection by Spring Security in a filter/interceptor and update Location header to include correct protocol?
Any hint is appreciated.
java spring spring-security
asked Jan 5 '18 at 18:47
11thdimension11thdimension
7,47211235
I'm working with a Spring microservice protected with Spring Security SSO login (Using Cloudfoundry UAA).
Microservice when deployed on Cloud is accessible via HTTPS URL. Since HTTPS URL is of the ELB (Load balancer/web server), actual request to microservice from ELB comes on HTTP. So Spring when redirecting the user to login page produces HTTP URL instead of HTTPS URL in 302 Location header.
Following is the flow
Browser
->(https://mymicroservice.com) Unauthenticated request (Load balancer)
->(http://internal_lan_ip:someport) Microservice
-> 302 Location http://mymicroservice.com/login
-> Browser http://mymicroservice.com/login (failed)
In short it goes from HTTPS -> HTTP -> 302 HTTP (failed as ELB doesn't serve on HTTP)
Following is what I have tried
x-forwarded-proto
Since load balancer is also not populating x-forwarded-proto correctly to HTTPS, instead it gives me HTTP, I can't use Spring's support for it.
Require channel HTTPS
It also doesn't work, as it results in infinite redirections from Spring as Spring never receives an HTTPS request from ELB, despite correctly having produced HTTPS redirect URL.
Interceptor/Filter
Use a ServletFilter to check response header Location and if present replace http:// with https://.
Frankly last option is my final option as I do not control the ELB configuration.
Now issue is that I'm unable to intercept the response after spring redirects to /login URL which in turn should redirect to SSO URL.
I have tried various combinations of Interceptors (postHandle, afterCompletion), using Spring security to inject it at various locations in the filter chain and finally setting the filter order to lowest. None of these intercept unauthenticated request after redirection.
@Component
@Order(Ordered.LOWEST_PRECEDENCE)
class RedirectUrlProtocolUpdaterFilter extends OncePerRequestFilter
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException
String locationHeader = response.getHeader("Location");
System.out.println("############ inside interceptor");
for(String name: response.getHeaderNames())
System.out.println(name + " : " + response.getHeader(name));
if(locationHeader != null && locationHeader.startsWith("http://"))
System.out.println("###################### setting location header");
locationHeader = locationHeader.replaceAll("http://", "https://");
response.setHeader("Location", locationHeader);
filterChain.doFilter(request, response);
How do I correctly intercept the /login redirection by Spring Security in a filter/interceptor and update Location header to include correct protocol?
Any hint is appreciated.
java spring spring-security
java spring spring-security
asked Jan 5 '18 at 18:47
11thdimension11thdimension
7,47211235
asked Jan 5 '18 at 18:47
11thdimension11thdimension
7,47211235
edited Nov 10 '18 at 22:36
11thdimension
asked Jan 5 '18 at 18:47
11thdimension11thdimension
7,47211235
asked Jan 5 '18 at 18:47
11thdimension11thdimension
7,47211235
asked Jan 5 '18 at 18:47
11thdimension11thdimension
7,47211235
7,47211235
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
If you want to update Location header info you can try to use an HttpResponseInterceptor.
This is an example of use from google HttpResponseInterceptor:
https://developers.google.com/api-client-library/java/google-http-java-client/reference/1.20.0/com/google/api/client/http/HttpResponseInterceptor
Other option is from Apache:
https://hc.apache.org/httpcomponents-core-ga/httpcore/apidocs/org/apache/http/class-use/HttpResponseInterceptor.html
answered Apr 19 '18 at 18:28
Rafa blancoRafa blanco
1
add a comment |
SpringFramework provides the HandlerInterceptor. This will intercept all http request, but can be used to constantly check for authentication and authorization. You will have to provide implementations for 3 methods (if you don't use them just implement an empty method). You can then put your code in the preHandle method.
public class AuthenticationInterceptor implements HandlerInterceptor
@Override
public boolean preHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o) throws Exception
@Override
public void postHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, ModelAndView modelAndView) throws Exception
@Override
public void afterCompletion(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, Exception e) throws Exception
edited Nov 13 '18 at 18:08
AS Mackay
1,9854819
answered Nov 13 '18 at 17:45
BuffChuckBuffChuck
12
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f48119553%2fspring-security-change-redirect-url-to-use-https-instead-of-http%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
If you want to update Location header info you can try to use an HttpResponseInterceptor.
This is an example of use from google HttpResponseInterceptor:
https://developers.google.com/api-client-library/java/google-http-java-client/reference/1.20.0/com/google/api/client/http/HttpResponseInterceptor
Other option is from Apache:
https://hc.apache.org/httpcomponents-core-ga/httpcore/apidocs/org/apache/http/class-use/HttpResponseInterceptor.html
answered Apr 19 '18 at 18:28
Rafa blancoRafa blanco
1
add a comment |
If you want to update Location header info you can try to use an HttpResponseInterceptor.
This is an example of use from google HttpResponseInterceptor:
https://developers.google.com/api-client-library/java/google-http-java-client/reference/1.20.0/com/google/api/client/http/HttpResponseInterceptor
Other option is from Apache:
https://hc.apache.org/httpcomponents-core-ga/httpcore/apidocs/org/apache/http/class-use/HttpResponseInterceptor.html
answered Apr 19 '18 at 18:28
Rafa blancoRafa blanco
1
add a comment |
If you want to update Location header info you can try to use an HttpResponseInterceptor.
This is an example of use from google HttpResponseInterceptor:
https://developers.google.com/api-client-library/java/google-http-java-client/reference/1.20.0/com/google/api/client/http/HttpResponseInterceptor
Other option is from Apache:
https://hc.apache.org/httpcomponents-core-ga/httpcore/apidocs/org/apache/http/class-use/HttpResponseInterceptor.html
answered Apr 19 '18 at 18:28
Rafa blancoRafa blanco
1
If you want to update Location header info you can try to use an HttpResponseInterceptor.
This is an example of use from google HttpResponseInterceptor:
https://developers.google.com/api-client-library/java/google-http-java-client/reference/1.20.0/com/google/api/client/http/HttpResponseInterceptor
Other option is from Apache:
https://hc.apache.org/httpcomponents-core-ga/httpcore/apidocs/org/apache/http/class-use/HttpResponseInterceptor.html
answered Apr 19 '18 at 18:28
Rafa blancoRafa blanco
1
answered Apr 19 '18 at 18:28
Rafa blancoRafa blanco
1
answered Apr 19 '18 at 18:28
Rafa blancoRafa blanco
1
answered Apr 19 '18 at 18:28
Rafa blancoRafa blanco
1
1
add a comment |
add a comment |
SpringFramework provides the HandlerInterceptor. This will intercept all http request, but can be used to constantly check for authentication and authorization. You will have to provide implementations for 3 methods (if you don't use them just implement an empty method). You can then put your code in the preHandle method.
public class AuthenticationInterceptor implements HandlerInterceptor
@Override
public boolean preHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o) throws Exception
@Override
public void postHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, ModelAndView modelAndView) throws Exception
@Override
public void afterCompletion(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, Exception e) throws Exception
edited Nov 13 '18 at 18:08
AS Mackay
1,9854819
answered Nov 13 '18 at 17:45
BuffChuckBuffChuck
12
add a comment |
SpringFramework provides the HandlerInterceptor. This will intercept all http request, but can be used to constantly check for authentication and authorization. You will have to provide implementations for 3 methods (if you don't use them just implement an empty method). You can then put your code in the preHandle method.
public class AuthenticationInterceptor implements HandlerInterceptor
@Override
public boolean preHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o) throws Exception
@Override
public void postHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, ModelAndView modelAndView) throws Exception
@Override
public void afterCompletion(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, Exception e) throws Exception
edited Nov 13 '18 at 18:08
AS Mackay
1,9854819
answered Nov 13 '18 at 17:45
BuffChuckBuffChuck
12
add a comment |
SpringFramework provides the HandlerInterceptor. This will intercept all http request, but can be used to constantly check for authentication and authorization. You will have to provide implementations for 3 methods (if you don't use them just implement an empty method). You can then put your code in the preHandle method.
public class AuthenticationInterceptor implements HandlerInterceptor
@Override
public boolean preHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o) throws Exception
@Override
public void postHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, ModelAndView modelAndView) throws Exception
@Override
public void afterCompletion(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, Exception e) throws Exception
edited Nov 13 '18 at 18:08
AS Mackay
1,9854819
answered Nov 13 '18 at 17:45
BuffChuckBuffChuck
12
SpringFramework provides the HandlerInterceptor. This will intercept all http request, but can be used to constantly check for authentication and authorization. You will have to provide implementations for 3 methods (if you don't use them just implement an empty method). You can then put your code in the preHandle method.
public class AuthenticationInterceptor implements HandlerInterceptor
@Override
public boolean preHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o) throws Exception
@Override
public void postHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, ModelAndView modelAndView) throws Exception
@Override
public void afterCompletion(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, Exception e) throws Exception
edited Nov 13 '18 at 18:08
AS Mackay
1,9854819
answered Nov 13 '18 at 17:45
BuffChuckBuffChuck
12
edited Nov 13 '18 at 18:08
AS Mackay
1,9854819
edited Nov 13 '18 at 18:08
AS Mackay
1,9854819
edited Nov 13 '18 at 18:08
AS Mackay
1,9854819
1,9854819
answered Nov 13 '18 at 17:45
BuffChuckBuffChuck
12
answered Nov 13 '18 at 17:45
BuffChuckBuffChuck
12
answered Nov 13 '18 at 17:45
BuffChuckBuffChuck
12
12
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f48119553%2fspring-security-change-redirect-url-to-use-https-instead-of-http%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
