首頁 探索 說明
註冊 登入
github
/
spring-security
镜像来自 https://github.com/spring-projects/spring-security
2
0
複刻 0
檔案 問題管理 0 Wiki
目錄樹: 9f24fad4a9
分支列表 標籤列表
spring-security
/
docs
/
modules
/
ROOT
/
pages
/
reactive
/
exploits
/
http.adoc

http.adoc 2.3 KB
文件歷史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293 
  1. [[webflux-http]]
    2. 

  2. = HTTP
    3. 

  3. 

  4. All HTTP-based communication should be protected with xref:features/exploits/http.adoc#http[using TLS].
    5. 

  5. 

  6. This section covers details about using WebFlux-specific features that assist with HTTPS usage.
    7. 

  7. 

  8. [[webflux-http-redirect]]
    9. 

  9. == Redirect to HTTPS
    10. 

  10. 

  11. If a client makes a request using HTTP rather than HTTPS, you can configure Spring Security to redirect to HTTPS.
    12. 

  12. 

  13. The following Java configuration redirects any HTTP requests to HTTPS:
    14. 

  14. 

  15. .Redirect to HTTPS
    16. 

  16. [tabs]
    17. 

  17. ======
    18. 

  18. Java::
    19. 

  19. +
    20. 

  20. [source,java,role="primary"]
    21. 

  21. ----
    22. 

  22. @Bean
    23. 

  23. SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
    24. 

  24. 	http
    25. 

  25. 		// ...
    26. 

  26. 		.redirectToHttps(withDefaults());
    27. 

  27. 	return http.build();
    28. 

  28. }
    29. 

  29. ----
    30. 

  30. 

  31. Kotlin::
    32. 

  32. +
    33. 

  33. [source,kotlin,role="secondary"]
    34. 

  34. ----
    35. 

  35. @Bean
    36. 

  36. fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
    37. 

  37.     return http {
    38. 

  38.         // ...
    39. 

  39.         redirectToHttps { }
    40. 

  40.     }
    41. 

  41. }
    42. 

  42. ----
    43. 

  43. ======
    44. 

  44. 

  45. You can wrap the configuration can be wrapped around an `if` statement to be turned on only in production.
    46. 

  46. Alternatively, you can enable it by looking for a property about the request that happens only in production.
    47. 

  47. For example, if the production environment adds a header named `X-Forwarded-Proto`, you should use the following Java Configuration:
    48. 

  48. 

  49. .Redirect to HTTPS when X-Forwarded
    50. 

  50. [tabs]
    51. 

  51. ======
    52. 

  52. Java::
    53. 

  53. +
    54. 

  54. [source,java,role="primary"]
    55. 

  55. ----
    56. 

  56. @Bean
    57. 

  57. SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
    58. 

  58. 	http
    59. 

  59. 		// ...
    60. 

  60. 		.redirectToHttps(redirect -> redirect
    61. 

  61. 			.httpsRedirectWhen(e -> e.getRequest().getHeaders().containsKey("X-Forwarded-Proto"))
    62. 

  62. 		);
    63. 

  63. 	return http.build();
    64. 

  64. }
    65. 

  65. ----
    66. 

  66. 

  67. Kotlin::
    68. 

  68. +
    69. 

  69. [source,kotlin,role="secondary"]
    70. 

  70. ----
    71. 

  71. @Bean
    72. 

  72. fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
    73. 

  73.     return http {
    74. 

  74.         // ...
    75. 

  75.         redirectToHttps {
    76. 

  76.             httpsRedirectWhen {
    77. 

  77.                 it.request.headers.containsKey("X-Forwarded-Proto")
    78. 

  78.             }
    79. 

  79.         }
    80. 

  80.     }
    81. 

  81. }
    82. 

  82. ----
    83. 

  83. ======
    84. 

  84. 

  85. [[webflux-hsts]]
    86. 

  86. == Strict Transport Security
    87. 

  87. 

  88. Spring Security provides support for xref:servlet/exploits/headers.adoc#servlet-headers-hsts[Strict Transport Security] and enables it by default.
    89. 

  89. 

  90. [[webflux-http-proxy-server]]
    91. 

  91. == Proxy Server Configuration
    92. 

  92. 

  93. Spring Security xref:features/exploits/http.adoc#http-proxy-server[integrates with proxy servers].
    94.