| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677 |
- [[servlet-http]]
- = HTTP
- All HTTP based communication should be protected xref:features/exploits/http.adoc#http[using TLS].
- Below you can find details around Servlet specific features that assist with HTTPS usage.
- [[servlet-http-redirect]]
- == Redirect to HTTPS
- If a client makes a request using HTTP rather than HTTPS, Spring Security can be configured to redirect to HTTPS.
- For example, the following Java configuration will redirect any HTTP requests to HTTPS:
- .Redirect to HTTPS
- ====
- .Java
- [source,java,role="primary"]
- ----
- @Configuration
- @EnableWebSecurity
- public class WebSecurityConfig extends
- WebSecurityConfigurerAdapter {
- @Override
- protected void configure(HttpSecurity http) {
- http
- // ...
- .requiresChannel(channel -> channel
- .anyRequest().requiresSecure()
- );
- }
- }
- ----
- .Kotlin
- [source,kotlin,role="secondary"]
- ----
- @Configuration
- @EnableWebSecurity
- class SecurityConfig : WebSecurityConfigurerAdapter() {
- override fun configure(http: HttpSecurity) {
- http {
- // ...
- requiresChannel {
- secure(AnyRequestMatcher.INSTANCE, "REQUIRES_SECURE_CHANNEL")
- }
- }
- }
- }
- ----
- ====
- The following XML configuration will redirect all HTTP requests to HTTPS
- .Redirect to HTTPS with XML Configuration
- ====
- [source,xml]
- ----
- <http>
- <intercept-url pattern="/**" access="ROLE_USER" requires-channel="https"/>
- ...
- </http>
- ----
- ====
- [[servlet-hsts]]
- == Strict Transport Security
- Spring Security provides support for xref:servlet/exploits/headers.adoc#servlet-headers-hsts[Strict Transport Security] and enables it by default.
- [[servlet-http-proxy-server]]
- == Proxy Server Configuration
- Spring Security xref:features/exploits/http.adoc#http-proxy-server[integrates with proxy servers].
|
