Make every https request in spring security 3.2

Question

Make every https request in spring security 3.2

I am using spring security 3.2 using the namespace configuration and want all calls to be https. I know that this will reduce performance by about 1/10, but I still want to implement it. I know that you / could achieve this from tomcat itself, but I want to configure it in security.xml

+4

spring-security https

Nikhil Thakur Feb 03 '14 at 21:34

source share

1 answer

Rob Winch · Answer 1 · 2014-02-03T22:37:20+0000

You can configure this https by adding the attribute of the desired channel to each interception URL. For example:

<http>
  <intercept-url pattern="/secure/**" access="ROLE_ADMIN" requires-channel="https"/>
  <intercept-url pattern="/**" access="ROLE_USER" requires-channel="https"/>
</http>

, Spring Java. , . :

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/secure/**").hasRole("ADMIN")
                .anyRequest.hasRole("USER")
                .and()
            .requiresChannel()
                .anyRequest().requiresSecure();
    }
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .inMemoryAuthentication()
                .withUser("user").password("password").roles("USER");
    }
}

Spring Security 3.2, , Spring . Spring Java. Strict-Transport-Security , , HTTP- . :

<headers>
  <hsts/>
</headers>

.

Make every https request in spring security 3.2

More articles: