在spring security中配置安全通道时循环重定向

时间:2015-07-20 11:42:56

标签: spring-security

我移动了一些应用并创建了单独的模块,但现在出于某种原因,当我尝试启用HTTPS时,它会将请求发送到无限重定向循环....

有人可以告知为什么此请求http://myhost/login会发出重定向。这就是我认为的相关配置。请注意,如果我取出requiresChannel部分,它可以正常工作。

@Override
protected void configure(HttpSecurity http) throws Exception {

    http
            //.addFilterBefore(systemAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class)
            .addFilter(systemAuthenticationFilter())
            .addFilter(new RememberMeAuthenticationFilter(authenticationManager(), rememberMeService()))
            .authorizeRequests()
            .antMatchers("/login","/welcome", "/login/new**", "/register", "/logout", "/**", "/session/timeout", "/admin/assets/**").permitAll()
            .antMatchers("/my_account").hasRole("REGISTERED_CUSTOMER")
            .anyRequest().permitAll()
            .and()
            .formLogin()
            .failureHandler(exceptionMappingAuthenticationFailureHandler())
            .loginPage("/login")
            .loginProcessingUrl("/log_in")
            .defaultSuccessUrl("/welcome")
            .usernameParameter("username")
            .passwordParameter("password")

            .and()
            .logout()
            .logoutUrl("/logout")
            .logoutSuccessUrl("/login")
            .deleteCookies("SPRING_SECURITY_REMEMBER_ME_COOKIE")


            .and()
           .requiresChannel()
            .antMatchers("/my_account", "/login").requiresSecure()
            .and()
            .rememberMe()
            .tokenValiditySeconds(1209600)
            .key(env.getProperty("rememberme.key"))

    ;

}  

哦,对于这个模块,来自web.xml的servlet上下文的相关部分:

<servlet-mapping>
        <servlet-name>Spring MVC Dispatcher Servlet</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>
    <filter>
        <filter-name>encoding-filter</filter-name>
        <filter-class>
            org.springframework.web.filter.CharacterEncodingFilter
        </filter-class>
        <init-param>
            <param-name>encoding</param-name>
            <param-value>UTF-8</param-value>
        </init-param>
        <init-param>
            <param-name>forceEncoding</param-name>
            <param-value>true</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>encoding-filter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>


    <filter>
        <display-name>springMultipartFilter</display-name>
        <filter-name>springMultipartFilter</filter-name>
        <filter-class>org.springframework.web.multipart.support.MultipartFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>springMultipartFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <filter>
        <display-name>springSecurityFilterChain</display-name>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>ERROR</dispatcher>
        <dispatcher>FORWARD</dispatcher>
        <dispatcher>REQUEST</dispatcher>
    </filter-mapping>

2 个答案:

答案 0 :(得分:0)

我不知道您的方案是否相同,但在Pivotal Cloud Foundry部署Spring Boot应用程序时遇到了类似的问题。似乎PaaS代理服务器将https重定向回http。在application.properties中添加几行修复了问题:

server.tomcat.remote_ip_header=x-forwarded-for
server.tomcat.protocol_header=x-forwarded-proto

如果有帮助的话,我已在博客上发表了here

答案 1 :(得分:0)

我今天再次花时间讨论这个问题。事实证明,当我重新部署应用程序时,我更改了HTTP端口,以便运行旧版本。

在Tomcat配置中,连接器中有以下部分:

<Connector executor="tomcatThreadPool"
           port="8080" protocol="HTTP/1.1"
           connectionTimeout="20000"
           redirectPort="8443" URIEncoding="UTF-8" />

我切换回原来的端口8080并且它正常工作。我不确定为什么Tomcat设置会很重要,但是如果我使用的是与此处配置的HTTP端口不同的HTTP端口,则Spring Security会重定向到原始HTTP端口。