spring-security/docs/modules/ROOT/pages/servlet/exploits/http.adoc

[[servlet-http]]
= HTTP

All HTTP-based communication should be protected xref:features/exploits/http.adoc#http[using TLS].

This section discusses the details of servlet-specific features that assist with HTTPS usage.

[[servlet-http-redirect]]
== Redirect to HTTPS

If a client makes a request using HTTP rather than HTTPS, you can configure Spring Security to redirect to HTTPS.

For example, the following Java or Kotlin configuration redirects any HTTP requests to HTTPS:

.Redirect to HTTPS
====
.Java
[source,java,role="primary"]
----
@Configuration
@EnableWebSecurity
public class WebSecurityConfig {

	@Bean
	public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
		http
			// ...
			.requiresChannel(channel -> channel
				.anyRequest().requiresSecure()
			);
		return http.build();
	}
}
----

.Kotlin
[source,kotlin,role="secondary"]
----
@Configuration
@EnableWebSecurity
class SecurityConfig {

    @Bean
    open fun filterChain(http: HttpSecurity): SecurityFilterChain {
        http {
            // ...
            requiresChannel {
                secure(AnyRequestMatcher.INSTANCE, "REQUIRES_SECURE_CHANNEL")
            }
        }
        return http.build()
    }
}
----
====

The following XML configuration redirects all HTTP requests to HTTPS

.Redirect to HTTPS with XML Configuration
====
[source,xml]
----
<http>
	<intercept-url pattern="/**" access="ROLE_USER" requires-channel="https"/>
...
</http>
----
====


[[servlet-hsts]]
== Strict Transport Security

Spring Security provides support for xref:servlet/exploits/headers.adoc#servlet-headers-hsts[Strict Transport Security] and enables it by default.

[[servlet-http-proxy-server]]
== Proxy Server Configuration

Spring Security xref:features/exploits/http.adoc#http-proxy-server[integrates with proxy servers].
Extract HTTPS Documentation Fixes gh-7626 2019-11-25 16:49:51 -05:00			`[[servlet-http]]`
			`= HTTP`

Merge Clean up Reference Documentation Closes gh-9668 2021-12-13 17:57:36 -05:00			`All HTTP-based communication should be protected xref:features/exploits/http.adoc#http[using TLS].`
Extract HTTPS Documentation Fixes gh-7626 2019-11-25 16:49:51 -05:00
Editing pass I went through everything to get it to fit with Spring's docuemntation standard. Lots of small changes for punctuation, grammar, usage, voice, and so on. Also added some links, mostly to the API Javadoc. 2021-04-21 17:01:26 -04:00			`This section discusses the details of servlet-specific features that assist with HTTPS usage.`
Extract HTTPS Documentation Fixes gh-7626 2019-11-25 16:49:51 -05:00
			`[[servlet-http-redirect]]`
			`== Redirect to HTTPS`

Editing pass I went through everything to get it to fit with Spring's docuemntation standard. Lots of small changes for punctuation, grammar, usage, voice, and so on. Also added some links, mostly to the API Javadoc. 2021-04-21 17:01:26 -04:00			`If a client makes a request using HTTP rather than HTTPS, you can configure Spring Security to redirect to HTTPS.`
Extract HTTPS Documentation Fixes gh-7626 2019-11-25 16:49:51 -05:00
Editing pass I went through everything to get it to fit with Spring's docuemntation standard. Lots of small changes for punctuation, grammar, usage, voice, and so on. Also added some links, mostly to the API Javadoc. 2021-04-21 17:01:26 -04:00			`For example, the following Java or Kotlin configuration redirects any HTTP requests to HTTPS:`
Extract HTTPS Documentation Fixes gh-7626 2019-11-25 16:49:51 -05:00
Add servlet HTTP exploit samples Issue gh-8172 2020-09-18 08:44:33 -04:00			`.Redirect to HTTPS`
Extract HTTPS Documentation Fixes gh-7626 2019-11-25 16:49:51 -05:00			`====`
Add servlet HTTP exploit samples Issue gh-8172 2020-09-18 08:44:33 -04:00			`.Java`
			`[source,java,role="primary"]`
Extract HTTPS Documentation Fixes gh-7626 2019-11-25 16:49:51 -05:00			`----`
			`@Configuration`
			`@EnableWebSecurity`
Replace WebSecurityConfigurerAdapter with SecurityFilterChain in docs Closes gh-10003 2022-02-08 10:12:10 -05:00			`public class WebSecurityConfig {`
Extract HTTPS Documentation Fixes gh-7626 2019-11-25 16:49:51 -05:00
Replace WebSecurityConfigurerAdapter with SecurityFilterChain in docs Closes gh-10003 2022-02-08 10:12:10 -05:00			`@Bean`
			`public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {`
Extract HTTPS Documentation Fixes gh-7626 2019-11-25 16:49:51 -05:00			`http`
			`// ...`
Use standard lambda syntax in documentation Fixes: gh-7774 2020-01-10 07:10:36 -05:00			`.requiresChannel(channel -> channel`
			`.anyRequest().requiresSecure()`
Extract HTTPS Documentation Fixes gh-7626 2019-11-25 16:49:51 -05:00			`);`
Replace WebSecurityConfigurerAdapter with SecurityFilterChain in docs Closes gh-10003 2022-02-08 10:12:10 -05:00			`return http.build();`
Extract HTTPS Documentation Fixes gh-7626 2019-11-25 16:49:51 -05:00			`}`
			`}`
			`----`
Add servlet HTTP exploit samples Issue gh-8172 2020-09-18 08:44:33 -04:00
			`.Kotlin`
			`[source,kotlin,role="secondary"]`
			`----`
			`@Configuration`
			`@EnableWebSecurity`
Replace WebSecurityConfigurerAdapter with SecurityFilterChain in docs Closes gh-10003 2022-02-08 10:12:10 -05:00			`class SecurityConfig {`
Add servlet HTTP exploit samples Issue gh-8172 2020-09-18 08:44:33 -04:00
Replace WebSecurityConfigurerAdapter with SecurityFilterChain in docs Closes gh-10003 2022-02-08 10:12:10 -05:00			`@Bean`
			`open fun filterChain(http: HttpSecurity): SecurityFilterChain {`
Add servlet HTTP exploit samples Issue gh-8172 2020-09-18 08:44:33 -04:00			`http {`
			`// ...`
			`requiresChannel {`
			`secure(AnyRequestMatcher.INSTANCE, "REQUIRES_SECURE_CHANNEL")`
			`}`
			`}`
Replace WebSecurityConfigurerAdapter with SecurityFilterChain in docs Closes gh-10003 2022-02-08 10:12:10 -05:00			`return http.build()`
Add servlet HTTP exploit samples Issue gh-8172 2020-09-18 08:44:33 -04:00			`}`
			`}`
			`----`
Extract HTTPS Documentation Fixes gh-7626 2019-11-25 16:49:51 -05:00			`====`

Editing pass I went through everything to get it to fit with Spring's docuemntation standard. Lots of small changes for punctuation, grammar, usage, voice, and so on. Also added some links, mostly to the API Javadoc. 2021-04-21 17:01:26 -04:00			`The following XML configuration redirects all HTTP requests to HTTPS`
Extract HTTPS Documentation Fixes gh-7626 2019-11-25 16:49:51 -05:00
			`.Redirect to HTTPS with XML Configuration`
			`====`
			`[source,xml]`
			`----`
			`<http>`
			`<intercept-url pattern="/**" access="ROLE_USER" requires-channel="https"/>`
			`...`
			`</http>`
			`----`
			`====`


			`[[servlet-hsts]]`
			`== Strict Transport Security`

mkdir -p build/ids find -name ".adoc" \| xargs -I{file} awk -v file={file} '/\[\[/ { gsub("\[\|\]", ""); id=$0; gsub("./docs/modules/ROOT/pages/", "", file); gsub("\[\|\]", ""); id=$0;getline;text=$0; sub("^=+ ","", text); print file > "build/ids/"id".id"; print text > "build/ids/"id".text" }' {file} find docs/modules -name ".adoc"\|while read adoc_file_to_replace; do echo "Replacing $adoc_file_to_replace" for id_file in build/ids/*.id; do id=$(basename $id_file \| sed 's/\.id$//') xref_page=$(cat $id_file) if [[ "$adoc_file_to_replace" -ef "./docs/modules/ROOT/pages/$xref_page" ]] then echo " - Skipping same page refid $id " else sed -i -E "s%<<$id(\|,([^,>]+))>>%xref:${xref_page}#${id}[\2]%g" $adoc_file_to_replace fi done done 2021-07-30 17:56:54 -04:00			`Spring Security provides support for xref:servlet/exploits/headers.adoc#servlet-headers-hsts[Strict Transport Security] and enables it by default.`
Extract HTTPS Documentation Fixes gh-7626 2019-11-25 16:49:51 -05:00
			`[[servlet-http-proxy-server]]`
			`== Proxy Server Configuration`

overview/ -> ../ 2021-08-10 16:21:42 -04:00			`Spring Security xref:features/exploits/http.adoc#http-proxy-server[integrates with proxy servers].`