Accueil Explorer Aide
S'inscrire Connexion
github
/
spring-security
miroir de https://github.com/spring-projects/spring-security
2
0
Fork 0
Fichiers Tickets 0 Wiki
Aborescence: e681e44268
Branches Tags
spring-security
/
docs
/
modules
/
ROOT
/
pages
/
reactive
/
exploits
/
http.adoc

http.adoc 2.2 KB
Historique Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687 
  1. [[webflux-http]]
    2. 

  2. = HTTP
    3. 

  3. 

  4. All HTTP based communication should be protected xref:features/exploits/http.adoc#http[using TLS].
    5. 

  5. 

  6. Below you can find details around WebFlux specific features that assist with HTTPS usage.
    7. 

  7. 

  8. [[webflux-http-redirect]]
    9. 

  9. == Redirect to HTTPS
    10. 

  10. 

  11. If a client makes a request using HTTP rather than HTTPS, Spring Security can be configured to redirect to HTTPS.
    12. 

  12. 

  13. For example, the following Java configuration will redirect any HTTP requests to HTTPS:
    14. 

  14. 

  15. .Redirect to HTTPS
    16. 

  16. ====
    17. 

  17. .Java
    18. 

  18. [source,java,role="primary"]
    19. 

  19. ----
    20. 

  20. @Bean
    21. 

  21. SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
    22. 

  22. 	http
    23. 

  23. 		// ...
    24. 

  24. 		.redirectToHttps(withDefaults());
    25. 

  25. 	return http.build();
    26. 

  26. }
    27. 

  27. ----
    28. 

  28. 

  29. .Kotlin
    30. 

  30. [source,kotlin,role="secondary"]
    31. 

  31. ----
    32. 

  32. @Bean
    33. 

  33. fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
    34. 

  34.     return http {
    35. 

  35.         // ...
    36. 

  36.         redirectToHttps { }
    37. 

  37.     }
    38. 

  38. }
    39. 

  39. ----
    40. 

  40. ====
    41. 

  41. 

  42. The configuration can easily be wrapped around an if statement to only be turned on in production.
    43. 

  43. Alternatively, it can be enabled by looking for a property about the request that only happens in production.
    44. 

  44. For example, if the production environment adds a header named `X-Forwarded-Proto` the following Java Configuration could be used:
    45. 

  45. 

  46. .Redirect to HTTPS when X-Forwarded
    47. 

  47. ====
    48. 

  48. .Java
    49. 

  49. [source,java,role="primary"]
    50. 

  50. ----
    51. 

  51. @Bean
    52. 

  52. SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
    53. 

  53. 	http
    54. 

  54. 		// ...
    55. 

  55. 		.redirectToHttps(redirect -> redirect
    56. 

  56. 			.httpsRedirectWhen(e -> e.getRequest().getHeaders().containsKey("X-Forwarded-Proto"))
    57. 

  57. 		);
    58. 

  58. 	return http.build();
    59. 

  59. }
    60. 

  60. ----
    61. 

  61. 

  62. .Kotlin
    63. 

  63. [source,kotlin,role="secondary"]
    64. 

  64. ----
    65. 

  65. @Bean
    66. 

  66. fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
    67. 

  67.     return http {
    68. 

  68.         // ...
    69. 

  69.         redirectToHttps {
    70. 

  70.             httpsRedirectWhen {
    71. 

  71.                 it.request.headers.containsKey("X-Forwarded-Proto")
    72. 

  72.             }
    73. 

  73.         }
    74. 

  74.     }
    75. 

  75. }
    76. 

  76. ----
    77. 

  77. ====
    78. 

  78. 

  79. [[webflux-hsts]]
    80. 

  80. == Strict Transport Security
    81. 

  81. 

  82. Spring Security provides support for xref:servlet/exploits/headers.adoc#servlet-headers-hsts[Strict Transport Security] and enables it by default.
    83. 

  83. 

  84. [[webflux-http-proxy-server]]
    85. 

  85. == Proxy Server Configuration
    86. 

  86. 

  87. Spring Security xref:features/exploits/http.adoc#http-proxy-server[integrates with proxy servers].
    88.