All geek questions in one place

Grails - spring - secure redirect security channel (on Heroku)

I use spring-security-core and configure the secure channel features that work fine on my development machine. I have the following in Config.groovy

grails.plugins.springsecurity.secureChannel.definition = [ '/order/checkout': 'REQUIRES_SECURE_CHANNEL', '/order/paymentComplete': 'REQUIRES_INSECURE_CHANNEL' ]

Also, when deploying to Heroku, the corresponding order processing works fine for how long , as I will comment on the lines above. As soon as I get them back, I get:

redirect error

I see that a lot of requests have appeared on the server, and the view of the Firebug network shows:

redirect network view

I have PiggyBack SSL added to Heroku, and I can specify the address https: // ... to go to other parts of the site, in which case the browser will remain in SSL mode. But if I get access to

 https:/www.momentumnow.co/order/checkout

I get the same redirect problem. You know what the problem is or how I can debug this further. If the latter, please update the comment area and I will respond to updates in the problem area. Thanks

PiggyBack SSL documentation indicates:

"Piggyback SSL will allow you to use https://yourapp.heroku.com because it uses * .heroku.com certification. You need to buy or configure a certificate, it just works. Https://yourcustomdomain.com will work, but in a browser he gives a warning. "

I will probably switch to another mode when adding a certificate, however this does not seem to be a problem based on the previous statement.

On the server, I get:

enter image description here

+4
source share
2 answers

You need to correct the values ​​for the ports, since by default they are 8080 and 8443. See Channel security in documents - http://grails-plugins.github.com/grails-spring-security-core/docs/manual/ - about grails.plugins.springsecurity.portMapper.httpPort and grails.plugins.springsecurity.portMapper.httpsPort configuration attributes.

+6
source

If someone else stumbles upon this (like me), the problem is that your application does not actually receive the request in the form of HTTPS. Rather, Heroku replaces HTTPS with the heading "X-Forwarded-Proto". Spring-security HTTPS redirection then puts you in an endless redirect cycle because it always defines the request as HTTP.

You can write your own SecureChannelProcessor to handle this:

 public class HerokuSecureChannelProcessor extends SecureChannelProcessor { @Override public void decide(FilterInvocation invocation, Collection<ConfigAttribute> config) throws IOException, ServletException { Assert.isTrue((invocation != null) && (config != null), "Nulls cannot be provided"); for (ConfigAttribute attribute : config) { if (supports(attribute)) { String header = invocation.getHttpRequest().getHeader("X-Forwarded-Proto"); if(header == null){ // proceed normally if (!invocation.getHttpRequest().isSecure()) { getEntryPoint().commence(invocation.getRequest(), invocation.getResponse()); } } else { // use heroku header instead if("http".equals(header)) { getEntryPoint().commence(invocation.getRequest(), invocation.getResponse()); } } } } } }
+1
source

Source: https://habr.com/ru/post/1394116/

More articles:


All Articles