All geek questions in one place

Spring Entry Loop Security Necessity and Amazon Load Balancing Balancing

I am trying to get spring protection running on a server using Amazon Elastic Load Balancer (ELB). ELB is configured on port 80 to go to my application on port 8080 and port 443, as well as forward to 8080.

<security:intercept-url pattern="/login.xhtml" access="IS_AUTHENTICATED_ANONYMOUSLY" requires-channel="https" /> <security:port-mappings> <security:port-mapping http="80" https="443" /> </security:port-mappings>

Whenever I access this page, I get into the login loop. Any idea how to solve this? Not sure spring. Security has problems with the fact that ELB is direct traffic from https 443 to my application on port 8080.

+6
source share
2 answers

It turns out that Spring Security uses ServletRequest.getServerPort () to determine if it uses a secure port. My tomcat was configured using 8080 and 8443, so when ELB forwards the request from 443 to my internal tomcat to 8443, webapp did not accept this as a secure port:

 20 Jun 18:16:49,184 ["http-bio-8443"-exec-5] DEBUG org.springframework.security. web.access.channel.RetryWithHttpsEntryPoint - Redirecting to: /login.xhtml

I also tried using a proxy port, but could not get this to work. Also, if you configured Spring security ports to use 8443 instead, it will not do the redirection correctly (it will redirect the application to 8443, which does not exist externally).

A short story ... the following settings worked: ELB forward 80-> 80 and 443-> 443. Set tomcat to use 80 and 443. Map port ports to use 80 and 443 in Spring Security

+3
source

The redirect cycle almost always happens because you have a secure URL that should not be protected. All URLs are protected by default in spring security.

Also, if JavaScript, CSS, or image resources are loaded in separate requests on the login page, their URLs are also protected, and this can cause a loop.

Turn on the debug log and you should see why you are being redirected. This will help you in registering debugging (search page for debugging).

+2
source

Source: https://habr.com/ru/post/890881/

More articles:


All Articles