如何让SpringSecurity / Grails与终止SSL的Load Balancer很好地配合

时间:2014-12-11 00:12:18

标签: spring tomcat grails spring-security amazon-elb

我们在Tomcat上有一个Grails应用程序,它部署在一个终止SSL的Load Balancer后面(负载均衡器然后与端口8080上的tomcat实例通信)。我们已将SpringSecurity配置为需要所有资源上的安全通道,注意来自负载均衡器的标头,强制https并映射来自负载均衡器的端口:

grails.plugin.springsecurity.secureChannel.useHeaderCheckChannelSecurity = true
grails.plugin.springsecurity.auth.forceHttps = true
grails.plugin.springsecurity.portMapper.httpPort = 80
grails.plugin.springsecurity.portMapper.httpsPort = 443
grails.plugin.springsecurity.secureChannel.definition = [
        '/**': 'REQUIRES_SECURE_CHANNEL'
]

大部分工作正常 - Grails内部的重定向正在按预期使用https协议,以及大多数ajax请求。

但是有一些ajax请求 正常工作。它们都与j_spring_security *端点(如j_spring_security_check)交互的结果有关。例如,如果用户尝试通过ajax登录,我们会在浏览器中收到此错误(这是成功登录启动的重定向):

 Mixed Content: The page at 'https://www.servernamehere.com/' was loaded over HTTPS, but 
 requested an insecure XMLHttpRequest endpoint 'http://www.servernamehere.com/login/ajaxSuccess'.
 This request has been blocked; the content must be served over HTTPS.

验证失败后会出现同样的问题:

Mixed Content: The page at 'https://www.servernamehere.com/' was loaded over HTTPS, but requested 
an insecure XMLHttpRequest endpoint 'http://www.servernamehere.com/login/authfail?ajax=true'. 
This request has been blocked; the content must be served over https.

我们如何配置spring security以了解所有来自身份验证事件的重定向都需要是https?

2 个答案:

答案 0 :(得分:0)

我们能够通过创建自定义重定向策略(实现org.springframework.security.web.RedirectStrategy)并使用我们的自定义策略bean替换默认重定向策略bean来解决此问题。自定义重定向策略检查负载均衡器传入的标头,并确保将响应重定向到适当的协议

答案 1 :(得分:0)

我有一个类似的设置,我在Grails app secureChanel标题中设置如下:

grails.plugin.springsecurity.secureChannel.useHeaderCheckChannelSecurity = true
grails.plugin.springsecurity.portMapper.httpPort = 80
grails.plugin.springsecurity.portMapper.httpsPort = 443
grails.plugin.springsecurity.secureChannel.secureHeaderName = 'X-Forwarded-Proto'
grails.plugin.springsecurity.secureChannel.secureHeaderValue = 'http'
grails.plugin.springsecurity.secureChannel.insecureHeaderName = 'X-Forwarded-Proto'
grails.plugin.springsecurity.secureChannel.insecureHeaderValue = 'https'

Grails spring安全插件https://github.com/grails-plugins/grails-spring-security-core/issues/395的两个版本(2.x,3.x)都有一个错误,但它已经修复了....

相关问题
最新问题