Skip to content
Advertisement

Spring Boot Security using http instead of https when forwarding to login page

dur

I am using Spring Boot Security with a custom AuthenticationProvider to secure a Java Spring Boot application. Attempts to access the application via a browser are directed to a custom login page. The body of my security config class is pasted below:-

@EnableWebSecurity
@Configuration
public class SecurityConfiguration {

    @Bean
    public AuthenticationProvider authenticationProvider() {
        return new DocumentumAuthenticationProvider();
    }

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                .anyRequest().authenticated()
                .and()
                .formLogin()
                .loginPage("/content/login")
                .permitAll()
                .and()
                .logout()
                .logoutUrl("/content/logout")
                .logoutSuccessUrl("/content/logout")
                .permitAll();
        return http.build();
    }

    @Bean
    public WebSecurityCustomizer webSecurityCustomizer() {
        return (web) -> web.ignoring().antMatchers("/retrieve/**", "/upload/**", "/content/css/**", "/content/scripts/**", "/content/images/**", "/content/images/**");
    }

    @Bean
    public BCryptPasswordEncoder encodePWD() {
        return new BCryptPasswordEncoder();
    }
}

This all works fine when I run my services locally within my IDE. For the next step, I containerised my application and deployed it to an AWS EC2 server. I have configured a custom HTTPS port for the app and have added a corresponding listener to the Application Load Balancer.

The issue is that when a user attempts to access the app in a browser over https, Spring Security is forwarding the user to a login page using http instead of https as the protocol e.g. user enters the following address in the browser: –

https://my-app:22223/content/documents

..and is forwarded here..

http://my-app:22223/content/login

Because this is an https port, the user sees this error page:-

http instead of https error message

If the user manually changes the protocol to https in the browser address bar, it then works fine.

I would be very grateful if anyone would be able to advise me why Spring Boot Security is behaving this way and what steps I can take to force it to use https in the login URL. Many thanks for reading my post!

Advertisement

Answer

You should configure the ALB to terminate SSL (i.e. register certificate etc). If this is configured correctly, the ALB will automatically add a header (X-Forwarded-Proto) that tells Spring Security that it needs to use HTTPS for its redirects.

User contributions licensed under: CC BY-SA
9 People found this is helpful
Advertisement