Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
spring-security/docs/modules/ROOT/pages/servlet/exploits/http.adoc

80 lines
1.8 KiB
Plaintext
Raw Blame History

[[servlet-http]]
= HTTP
All HTTP-based communication should be protected xref:features/exploits/http.adoc#http[using TLS].
This section discusses the details of servlet-specific features that assist with HTTPS usage.
[[servlet-http-redirect]]
== Redirect to HTTPS
If a client makes a request using HTTP rather than HTTPS, you can configure Spring Security to redirect to HTTPS.
For example, the following Java or Kotlin configuration redirects any HTTP requests to HTTPS:
.Redirect to HTTPS
====
.Java
[source,java,role="primary"]
----
@Configuration
@EnableWebSecurity
public class WebSecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
// ...
.requiresChannel(channel -> channel
.anyRequest().requiresSecure()
);
return http.build();
}
}
----
.Kotlin
[source,kotlin,role="secondary"]
----
@Configuration
@EnableWebSecurity
class SecurityConfig {
@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
// ...
requiresChannel {
secure(AnyRequestMatcher.INSTANCE, "REQUIRES_SECURE_CHANNEL")
}
}
return http.build()
}
}
----
====
The following XML configuration redirects all HTTP requests to HTTPS
.Redirect to HTTPS with XML Configuration
====
[source,xml]
----
<http>
<intercept-url pattern="/**" access="ROLE_USER" requires-channel="https"/>
...
</http>
----
====
[[servlet-hsts]]
== Strict Transport Security
Spring Security provides support for xref:servlet/exploits/headers.adoc#servlet-headers-hsts[Strict Transport Security] and enables it by default.
[[servlet-http-proxy-server]]
== Proxy Server Configuration
Spring Security xref:features/exploits/http.adoc#http-proxy-server[integrates with proxy servers].
Reference in New Issue View Git Blame Copy Permalink