2019-11-25 15:49:51 -06:00
|
|
|
[[webflux-http]]
|
|
|
|
|
= HTTP
|
2018-09-18 21:12:37 -05:00
|
|
|
|
2021-08-10 15:21:42 -05:00
|
|
|
All HTTP based communication should be protected xref:features/exploits/http.adoc#http[using TLS].
|
2018-09-18 21:12:37 -05:00
|
|
|
|
2019-11-25 15:49:51 -06:00
|
|
|
Below you can find details around WebFlux specific features that assist with HTTPS usage.
|
|
|
|
|
|
|
|
|
|
[[webflux-http-redirect]]
|
|
|
|
|
== Redirect to HTTPS
|
|
|
|
|
|
|
|
|
|
If a client makes a request using HTTP rather than HTTPS, Spring Security can be configured to redirect to HTTPS.
|
|
|
|
|
|
|
|
|
|
For example, the following Java configuration will redirect any HTTP requests to HTTPS:
|
|
|
|
|
|
|
|
|
|
.Redirect to HTTPS
|
|
|
|
|
====
|
2020-09-18 14:43:23 +02:00
|
|
|
.Java
|
|
|
|
|
[source,java,role="primary"]
|
2018-09-18 21:12:37 -05:00
|
|
|
----
|
|
|
|
|
@Bean
|
2019-07-24 12:15:32 -04:00
|
|
|
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
|
2018-09-18 21:12:37 -05:00
|
|
|
http
|
|
|
|
|
// ...
|
2019-07-22 09:31:10 -04:00
|
|
|
.redirectToHttps(withDefaults());
|
2018-09-18 21:12:37 -05:00
|
|
|
return http.build();
|
|
|
|
|
}
|
|
|
|
|
----
|
2020-09-18 14:43:23 +02:00
|
|
|
|
|
|
|
|
.Kotlin
|
|
|
|
|
[source,kotlin,role="secondary"]
|
|
|
|
|
----
|
|
|
|
|
@Bean
|
|
|
|
|
fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
|
|
|
|
|
return http {
|
|
|
|
|
// ...
|
|
|
|
|
redirectToHttps { }
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
----
|
2019-11-25 15:49:51 -06:00
|
|
|
====
|
2018-09-18 21:12:37 -05:00
|
|
|
|
|
|
|
|
The configuration can easily be wrapped around an if statement to only be turned on in production.
|
|
|
|
|
Alternatively, it can be enabled by looking for a property about the request that only happens in production.
|
|
|
|
|
For example, if the production environment adds a header named `X-Forwarded-Proto` the following Java Configuration could be used:
|
|
|
|
|
|
2019-11-25 15:49:51 -06:00
|
|
|
.Redirect to HTTPS when X-Forwarded
|
|
|
|
|
====
|
2020-09-18 14:43:23 +02:00
|
|
|
.Java
|
|
|
|
|
[source,java,role="primary"]
|
2018-09-18 21:12:37 -05:00
|
|
|
----
|
|
|
|
|
@Bean
|
2019-07-24 12:15:32 -04:00
|
|
|
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
|
2018-09-18 21:12:37 -05:00
|
|
|
http
|
|
|
|
|
// ...
|
2020-01-10 13:10:36 +01:00
|
|
|
.redirectToHttps(redirect -> redirect
|
|
|
|
|
.httpsRedirectWhen(e -> e.getRequest().getHeaders().containsKey("X-Forwarded-Proto"))
|
2019-07-22 09:31:10 -04:00
|
|
|
);
|
2018-09-18 21:12:37 -05:00
|
|
|
return http.build();
|
|
|
|
|
}
|
|
|
|
|
----
|
2020-09-18 14:43:23 +02:00
|
|
|
|
|
|
|
|
.Kotlin
|
|
|
|
|
[source,kotlin,role="secondary"]
|
|
|
|
|
----
|
|
|
|
|
@Bean
|
|
|
|
|
fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
|
|
|
|
|
return http {
|
|
|
|
|
// ...
|
|
|
|
|
redirectToHttps {
|
|
|
|
|
httpsRedirectWhen {
|
|
|
|
|
it.request.headers.containsKey("X-Forwarded-Proto")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
----
|
2019-11-25 15:49:51 -06:00
|
|
|
====
|
|
|
|
|
|
|
|
|
|
[[webflux-hsts]]
|
|
|
|
|
== Strict Transport Security
|
|
|
|
|
|
2021-07-30 16:56:54 -05:00
|
|
|
Spring Security provides support for xref:servlet/exploits/headers.adoc#servlet-headers-hsts[Strict Transport Security] and enables it by default.
|
2019-11-25 15:49:51 -06:00
|
|
|
|
|
|
|
|
[[webflux-http-proxy-server]]
|
|
|
|
|
== Proxy Server Configuration
|
|
|
|
|
|
2021-08-10 15:21:42 -05:00
|
|
|
Spring Security xref:features/exploits/http.adoc#http-proxy-server[integrates with proxy servers].
|
