All geek questions in one place

Spring SAML security, redirecting to HTTP instead of HTTPS when using SAMLContextProviderLB configured on HTTP scheme

Attached to context provider for SAMLContextProviderLB bean

**<property name="scheme" value="https"/>** <property name="serverName" value="${sp.hostname}"/> <property name="serverPort" value="#{'${sp.ssl.port}'=='' ? 443 : '${sp.ssl.port}'}"/> <property name="includeServerPortInRequestURL" value="#{'${sp.ssl.port}'=='443' ? false : true }"/> <property name="contextPath" value="/${sp.context.root}"/>

I am lagging behind the proxy, so I offload the SSL termination. server-server itself listens for non-SSL, but the website terminates SSL for us and redirects to a non-ssl port. I installed SAMLContextProviderLB with the above properties, so even on the backend there will be https, it will know how to display the intended recipient for the saml token as an https audience. What I see in the logs below, however, when I go to a protected resource, it returns garbage in the browser. When I change it to https in the browser, it works as intended. When viewing the logs below, it is shown that the value returned from the DefaultSavedRequest url is HTTP, when it should be HTTP.

2016-03-07 18: 24: 11,907 INFO org.springframework.security.saml.log.SAMLDefaultLogger.log: 127 - AuthNResponse; SUCCESS 10.4.203.88; https: // myserver: 89 / fct; https: //www.myADFS.com/adfs/services/trust; camachof@email.com ;;

2016-03-07 18: 24: 11,909 DEBUG org.springframework.security.saml.SAMLProcessingFilter.successfulAuthentication: 317 - Authentication success. SecurityContextHolder update to include: org.springf ramework.security.providers.ExpiringUsernameAuthenticationToken@ 830e9237: Principal: camachof@email.com ; Credentials: [PROTECTION]; Authenticated: true; Details: null; No authority granted

2016-03-07 18: 24: 11,910 DEBUG org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler.onAuthenticationSuccess: 79 - Redirect to DefaultSavedRequest Url: http : // MyServer: 89 / MTC / page

2016-03-07 18: 24: 11,911 DEBUG org.springframework.security.web.DefaultRedirectStrategy.sendRedirect: 36 - Redirect to ' http: // myserver: 89 / fct / page

2016-03-07 18: 24: 11,911 DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository.saveContext: 292 - SecurityContext is stored in HttpSession: ' org.springframework.security.core.context.SecurityContextImpl@83 0e9237: Authentication: org.springf ramework.security.providers.ExpiringUsernameAuthenticationToken@ 830e923 Principal: camachof@email.com ; Credentials: [PROTECTION]; Authenticated: true; Details: null; No authority granted

2016-03-07 18: 24: 11,912 DEBUG org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter: 97 - SecurityContextHolder is now cleared when request processing is completed

Any ideas how to get this to use HTTPS as part of this setup? Thanks in advance.

+5
source share
1 answer

This question is old, but if I find it to others, I will send an answer.

Either your load balancer or your reverse proxy ( Apache httpd or nginx ) should do the extra work for you. Spring (or Spring Boot ), and built-in Tomcat (or Jetty ) believe that they use an http server. What is he doing. If the proxy server passes some header variables, Tomcat will begin to think that it is running https .

Here's what Apache needs as an example:

 ProxyPreserveHost On RequestHeader add X-Forwarded-Proto https ProxyPass / http://127.0.0.1:8080/ ProxyPassReverse / http://127.0.0.1:8080/

ProxyPass and ProxyPassReverse are what you probably already have. But ProxyPreserveHost and X-Forwarded-Proto really count.

Check out this section of Spring Boot Documents . If X-Forwarded-For or X-Forwarded-Proto installed, you should add this to your application.properties file:

 server.use-forward-headers=true

In this document, you will also see that you can add these properties for your specific Tomcat configuration:

 server.tomcat.remote-ip-header=x-your-remote-ip-header server.tomcat.protocol-header=x-your-protocol-header

Make all this extra with what you have, and it will start working. What you have above, by itself, is not enough to force Tomcat to start forwarding requests using https .

I found that since my company had a hardware load balancer (which is managed by Rackspace), it was difficult to configure it to make these changes. So, we end SSL in the firewall / load balancer, and then redirect requests to Apache to port 80, and Apache redirects them to Java to port 8080. Yes, this is a mess. But he got all this stupidity.

+3
source

Source: https://habr.com/ru/post/1244622/

More articles:


All Articles