Trang chủ Khám phá Trợ giúp
Đăng ký Đăng nhập
github
/
spring-security
mirror of https://github.com/spring-projects/spring-security
2
0
Fork 0
Các tập tin Các vấn đề 0 Wiki
Tree: e681e44268
Branches Tags
spring-security
/
docs
/
modules
/
ROOT
/
pages
/
features
/
exploits
/
http.adoc

http.adoc 2.4 KB
Lịch sử Raw

1234567891011121314151617181920212223242526272829303132 
  1. [[http]]
    2. 

  2. = HTTP
    3. 

  3. 

  4. All HTTP based communication, including https://www.troyhunt.com/heres-why-your-static-website-needs-https/[static resources], should be protected https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html[using TLS].
    5. 

  5. 

  6. As a framework, Spring Security does not handle HTTP connections and thus does not provide support for HTTPS directly.
    7. 

  7. However, it does provide a number of features that help with HTTPS usage.
    8. 

  8. 

  9. [[http-redirect]]
    10. 

  10. == Redirect to HTTPS
    11. 

  11. 

  12. When a client uses HTTP, Spring Security can be configured to redirect to HTTPS both xref:servlet/exploits/http.adoc#servlet-http-redirect[Servlet] and xref:reactive/exploits/http.adoc#webflux-http-redirect[WebFlux] environments.
    13. 

  13. 

  14. [[http-hsts]]
    15. 

  15. == Strict Transport Security
    16. 

  16. 

  17. Spring Security provides support for xref:features/exploits/headers.adoc#headers-hsts[Strict Transport Security] and enables it by default.
    18. 

  18. 

  19. [[http-proxy-server]]
    20. 

  20. == Proxy Server Configuration
    21. 

  21. 

  22. When using a proxy server it is important to ensure that you have configured your application properly.
    23. 

  23. For example, many applications will have a load balancer that responds to request for https://example.com/ by forwarding the request to an application server at https://192.168.1:8080.
    24. 

  24. Without proper configuration, the application server will not know that the load balancer exists and treat the request as though https://192.168.1:8080 was requested by the client.
    25. 

  25. 

  26. To fix this you can use https://tools.ietf.org/html/rfc7239[RFC 7239] to specify that a load balancer is being used.
    27. 

  27. To make the application aware of this, you need to either configure your application server aware of the X-Forwarded headers.
    28. 

  28. For example Tomcat uses the https://tomcat.apache.org/tomcat-8.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html[RemoteIpValve] and Jetty uses https://www.eclipse.org/jetty/javadoc/jetty-9/org/eclipse/jetty/server/ForwardedRequestCustomizer.html[ForwardedRequestCustomizer].
    29. 

  29. Alternatively, Spring users can leverage https://github.com/spring-projects/spring-framework/blob/v4.3.3.RELEASE/spring-web/src/main/java/org/springframework/web/filter/ForwardedHeaderFilter.java[ForwardedHeaderFilter].
    30. 

  30. 

  31. Spring Boot users may use the `server.use-forward-headers` property to configure the application.
    32. 

  32. See the https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#howto-use-tomcat-behind-a-proxy-server[Spring Boot documentation] for further details.
    33.