spring-security/docs/modules/ROOT/pages/servlet/exploits/http.adoc

[[servlet-http]]
= HTTP

All HTTP based communication should be protected xref:features/exploits/http.adoc#http[using TLS].

Below you can find details around Servlet specific features that assist with HTTPS usage.

[[servlet-http-redirect]]
== Redirect to HTTPS

If a client makes a request using HTTP rather than HTTPS, Spring Security can be configured to redirect to HTTPS.

For example, the following Java configuration will redirect any HTTP requests to HTTPS:

.Redirect to HTTPS
====
.Java
[source,java,role="primary"]
----
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends
		WebSecurityConfigurerAdapter {

	@Override
	protected void configure(HttpSecurity http) {
		http
			// ...
			.requiresChannel(channel -> channel
				.anyRequest().requiresSecure()
			);
	}
}
----

.Kotlin
[source,kotlin,role="secondary"]
----
@Configuration
@EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() {

    override fun configure(http: HttpSecurity) {
        http {
            // ...
            requiresChannel {
                secure(AnyRequestMatcher.INSTANCE, "REQUIRES_SECURE_CHANNEL")
            }
        }
    }
}
----
====

The following XML configuration will redirect all HTTP requests to HTTPS

.Redirect to HTTPS with XML Configuration
====
[source,xml]
----
<http>
	<intercept-url pattern="/**" access="ROLE_USER" requires-channel="https"/>
...
</http>
----
====


[[servlet-hsts]]
== Strict Transport Security

Spring Security provides support for xref:servlet/exploits/headers.adoc#servlet-headers-hsts[Strict Transport Security] and enables it by default.

[[servlet-http-proxy-server]]
== Proxy Server Configuration

Spring Security xref:features/exploits/http.adoc#http-proxy-server[integrates with proxy servers].
Extract HTTPS Documentation Fixes gh-7626 2019-11-25 15:49:51 -06:00			`[[servlet-http]]`
			`= HTTP`

overview/ -> ../ 2021-08-10 15:21:42 -05:00			`All HTTP based communication should be protected xref:features/exploits/http.adoc#http[using TLS].`
Extract HTTPS Documentation Fixes gh-7626 2019-11-25 15:49:51 -06:00
			`Below you can find details around Servlet specific features that assist with HTTPS usage.`

			`[[servlet-http-redirect]]`
			`== Redirect to HTTPS`

			`If a client makes a request using HTTP rather than HTTPS, Spring Security can be configured to redirect to HTTPS.`

			`For example, the following Java configuration will redirect any HTTP requests to HTTPS:`

Add servlet HTTP exploit samples Issue gh-8172 2020-09-18 14:44:33 +02:00			`.Redirect to HTTPS`
Extract HTTPS Documentation Fixes gh-7626 2019-11-25 15:49:51 -06:00			`====`
Add servlet HTTP exploit samples Issue gh-8172 2020-09-18 14:44:33 +02:00			`.Java`
			`[source,java,role="primary"]`
Extract HTTPS Documentation Fixes gh-7626 2019-11-25 15:49:51 -06:00			`----`
			`@Configuration`
			`@EnableWebSecurity`
			`public class WebSecurityConfig extends`
			`WebSecurityConfigurerAdapter {`

			`@Override`
			`protected void configure(HttpSecurity http) {`
			`http`
			`// ...`
Use standard lambda syntax in documentation Fixes: gh-7774 2020-01-10 13:10:36 +01:00			`.requiresChannel(channel -> channel`
			`.anyRequest().requiresSecure()`
Extract HTTPS Documentation Fixes gh-7626 2019-11-25 15:49:51 -06:00			`);`
			`}`
			`}`
			`----`
Add servlet HTTP exploit samples Issue gh-8172 2020-09-18 14:44:33 +02:00
			`.Kotlin`
			`[source,kotlin,role="secondary"]`
			`----`
			`@Configuration`
			`@EnableWebSecurity`
			`class SecurityConfig : WebSecurityConfigurerAdapter() {`

			`override fun configure(http: HttpSecurity) {`
			`http {`
			`// ...`
			`requiresChannel {`
			`secure(AnyRequestMatcher.INSTANCE, "REQUIRES_SECURE_CHANNEL")`
			`}`
			`}`
			`}`
			`}`
			`----`
Extract HTTPS Documentation Fixes gh-7626 2019-11-25 15:49:51 -06:00			`====`

			`The following XML configuration will redirect all HTTP requests to HTTPS`

			`.Redirect to HTTPS with XML Configuration`
			`====`
			`[source,xml]`
			`----`
			`<http>`
			`<intercept-url pattern="/**" access="ROLE_USER" requires-channel="https"/>`
			`...`
			`</http>`
			`----`
			`====`


			`[[servlet-hsts]]`
			`== Strict Transport Security`

mkdir -p build/ids find -name ".adoc" \| xargs -I{file} awk -v file={file} '/\[\[/ { gsub("\[\|\]", ""); id=$0; gsub("./docs/modules/ROOT/pages/", "", file); gsub("\[\|\]", ""); id=$0;getline;text=$0; sub("^=+ ","", text); print file > "build/ids/"id".id"; print text > "build/ids/"id".text" }' {file} find docs/modules -name ".adoc"\|while read adoc_file_to_replace; do echo "Replacing $adoc_file_to_replace" for id_file in build/ids/*.id; do id=$(basename $id_file \| sed 's/\.id$//') xref_page=$(cat $id_file) if [[ "$adoc_file_to_replace" -ef "./docs/modules/ROOT/pages/$xref_page" ]] then echo " - Skipping same page refid $id " else sed -i -E "s%<<$id(\|,([^,>]+))>>%xref:${xref_page}#${id}[\2]%g" $adoc_file_to_replace fi done done 2021-07-30 16:56:54 -05:00			`Spring Security provides support for xref:servlet/exploits/headers.adoc#servlet-headers-hsts[Strict Transport Security] and enables it by default.`
Extract HTTPS Documentation Fixes gh-7626 2019-11-25 15:49:51 -06:00
			`[[servlet-http-proxy-server]]`
			`== Proxy Server Configuration`

overview/ -> ../ 2021-08-10 15:21:42 -05:00			`Spring Security xref:features/exploits/http.adoc#http-proxy-server[integrates with proxy servers].`