Announcement Announcement Module
Collapse
No announcement yet.
HTTP Channel for localhost and HTTPS for everything else. How to do? Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • HTTP Channel for localhost and HTTPS for everything else. How to do?

    Hi everyone,

    I wanted to know if there is an easy way to set up spring security to use https for all connections besides localhost. The reason is, that a nodeJS instance is connecting to my REST WebApp. Therefore there is no need to commuicate over https I think.

    This is my <http> tag within my Spring security context:
    HTML Code:
    <http create-session="stateless" use-expressions="true"
    	authentication-manager-ref="ZportlyAuthenticationManager" entry-point-ref="digestEntryPoint">
    	<http-basic />
    	<intercept-url pattern="/auth/*" access="isAnonymous()" requires-channel="https" />
    	<intercept-url pattern="/error/*" access="isAnonymous()" requires-channel="https" />
    	<intercept-url pattern="/**" access="isAuthenticated()" requires-channel="https" method="GET" />
    	<logout logout-url="/auth/logout" logout-success-url="/auth/logout/success" />
    	<custom-filter ref="allowCrossDomainRequestFilter" position="LAST" />
    	<custom-filter ref="digestFilter" after="BASIC_AUTH_FILTER" />
    	<!-- <port-mappings> <port-mapping http="8080" https="8443" /> </port-mappings> -->
    </http>

  • #2
    We manage such things in the build process using Maven profiles. In Maven pom.xml, create profiles for each of the environments; for example:

    Code:
        <project>
            ...
            <profiles>
                <profile>
                    <id>dev</id>
                    <properties>
                        <spring.security.http.channel>http</spring.security.http.channel>
                    </properties>
                </profile>
                <profile>
                    <id>test</id>
                    <properties>
                        <spring.security.http.channel>https</spring.security.http.channel>
                    </properties>
                </profile>
                <profile>
                    <id>staging</id>
                    <properties>
                        <spring.security.http.channel>https</spring.security.http.channel>
                    </properties>
                </profile>
                <profile>
                    <id>prod</id>
                    <properties>
                        <spring.security.http.channel>https</spring.security.http.channel>
                    </properties>
                </profile>
            </profiles>
            ...
        </project>
    Then, use Maven resource filtering to set the channel appropriately during the build.

    Code:
    <http create-session="stateless" use-expressions="true"
        authentication-manager-ref="ZportlyAuthenticationManager" entry-point-ref="digestEntryPoint">
        <http-basic />
        <intercept-url pattern="/auth/*" access="isAnonymous()" requires-channel="${spring.security.http.channel}" />
        <intercept-url pattern="/error/*" access="isAnonymous()" requires-channel="${spring.security.http.channel}" />
        <intercept-url pattern="/**" access="isAuthenticated()" requires-channel="${spring.security.http.channel}" method="GET" />
        <logout logout-url="/auth/logout" logout-success-url="/auth/logout/success" />
        <custom-filter ref="allowCrossDomainRequestFilter" position="LAST" />
        <custom-filter ref="digestFilter" after="BASIC_AUTH_FILTER" />
        <!-- <port-mappings> <port-mapping http="8080" https="8443" /> </port-mappings> -->
    </http>
    If you are using Ant for building the code, a similar strategy can be adopted with Ant token replacement.

    Comment


    • #3
      Hi Manish,

      thank you for your reply. Your idea makes sense if I had to distinguish between different profiles like your example, but I need an http and an https channel at the same time for the URLs. Something like this:

      HTML Code:
      <intercept-url pattern="/auth/*" access="isAnonymous()" requires-channel="http" />
      <intercept-url pattern="/error/*" access="isAnonymous()" requires-channel="http" host="localhost" />
      <intercept-url pattern="/error/*" access="isAnonymous()" requires-channel="https" host="all other incoming connections" />
      I googled a lot and did not find a solution so far.

      Comment

      Working...
      X