mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-05-05 18:07:25 +00:00
1f90df6a14
find -name "*.adoc" | xargs -I{file} awk -v file={file} '/\[\[/ { gsub("\[|\]", ""); id=$0; gsub("./docs/modules/ROOT/pages/", "", file); gsub("\[|\]", ""); id=$0;getline;text=$0; sub("^=+ ","", text); print file > "build/ids/"id".id"; print text > "build/ids/"id".text" }' {file}
find docs/modules -name "*.adoc"|while read adoc_file_to_replace; do
echo "Replacing $adoc_file_to_replace"
for id_file in build/ids/*.id; do
id=$(basename $id_file | sed 's/\.id$//')
xref_page=$(cat $id_file)
if [[ "$adoc_file_to_replace" -ef "./docs/modules/ROOT/pages/$xref_page" ]]
then
echo " - Skipping same page refid $id "
else
sed -i -E "s%<<$id(|,([^,>]+))>>%xref:${xref_page}#${id}[\2]%g" $adoc_file_to_replace
fi
done
done
78 lines
1.8 KiB
Plaintext
78 lines
1.8 KiB
Plaintext
[[servlet-http]]
|
|
= HTTP
|
|
|
|
All HTTP based communication should be protected xref:overview/features/exploits/http.adoc#http[using TLS].
|
|
|
|
Below you can find details around Servlet specific features that assist with HTTPS usage.
|
|
|
|
[[servlet-http-redirect]]
|
|
== Redirect to HTTPS
|
|
|
|
If a client makes a request using HTTP rather than HTTPS, Spring Security can be configured to redirect to HTTPS.
|
|
|
|
For example, the following Java configuration will redirect any HTTP requests to HTTPS:
|
|
|
|
.Redirect to HTTPS
|
|
====
|
|
.Java
|
|
[source,java,role="primary"]
|
|
----
|
|
@Configuration
|
|
@EnableWebSecurity
|
|
public class WebSecurityConfig extends
|
|
WebSecurityConfigurerAdapter {
|
|
|
|
@Override
|
|
protected void configure(HttpSecurity http) {
|
|
http
|
|
// ...
|
|
.requiresChannel(channel -> channel
|
|
.anyRequest().requiresSecure()
|
|
);
|
|
}
|
|
}
|
|
----
|
|
|
|
.Kotlin
|
|
[source,kotlin,role="secondary"]
|
|
----
|
|
@Configuration
|
|
@EnableWebSecurity
|
|
class SecurityConfig : WebSecurityConfigurerAdapter() {
|
|
|
|
override fun configure(http: HttpSecurity) {
|
|
http {
|
|
// ...
|
|
requiresChannel {
|
|
secure(AnyRequestMatcher.INSTANCE, "REQUIRES_SECURE_CHANNEL")
|
|
}
|
|
}
|
|
}
|
|
}
|
|
----
|
|
====
|
|
|
|
The following XML configuration will redirect all HTTP requests to HTTPS
|
|
|
|
.Redirect to HTTPS with XML Configuration
|
|
====
|
|
[source,xml]
|
|
----
|
|
<http>
|
|
<intercept-url pattern="/**" access="ROLE_USER" requires-channel="https"/>
|
|
...
|
|
</http>
|
|
----
|
|
====
|
|
|
|
|
|
[[servlet-hsts]]
|
|
== Strict Transport Security
|
|
|
|
Spring Security provides support for xref:servlet/exploits/headers.adoc#servlet-headers-hsts[Strict Transport Security] and enables it by default.
|
|
|
|
[[servlet-http-proxy-server]]
|
|
== Proxy Server Configuration
|
|
|
|
Spring Security xref:overview/features/exploits/http.adoc#http-proxy-server[integrates with proxy servers].
|