我只是将我的webapp迁移到HTTPS,除了ajax登录外,一切正常。(虽然非ajax登录有效)
当我尝试登录时,收到以下错误消息:
Mixed Content: The page at 'https://www.foo.bar/paris' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://www.foo.bar/security/ajax-success'. This request has been blocked; the content must be served over HTTPS.
在网络标签中我得到了
https://www.foo.bar/security/ajax-login status - > canceled
http://www.foo.bar/security/ajax-success status -> blocked(mixed-content)
我使用apache2和tomcat与ProxyPass 这是我的default-ssl配置:
<VirtualHost _default_:443>
ServerAdmin contact@foo.bar
ServerName www.foo.bar
ErrorLog /home/apache_logs/error_website.log
CustomLog /home/apache_logs/access_website.log combined
SSLEngine on
SSLCertificateFile /home/sslcerts/certs/www.foo.bar.crt
SSLCertificateKeyFile /home/sslcerts/private/foo.key
SSLCertificateChainFile /home/sslcerts/certs/foo.pem
SSLVerifyClient None
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://0.0.0.0:8080/
ProxyPassReverse / https://0.0.0.0:8080/
</VirtualHost>
<VirtualHost *:80>
ServerName www.foo.bar
ServerAlias foo.bar
Redirect "/" "https://www.foo.bar/"
</VirtualHost>
我在这个java web应用程序中使用Spring安全性,这是我的配置文件:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true)
public class MultiHttpSecurityConfig {
@Autowired
@Qualifier("userDetailsService")
UserDetailsService userDetailsService;
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Configuration
@Order(1)
public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.antMatcher("/security/**")
.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin()
.loginProcessingUrl("/security/ajax-login")
.loginPage("/security/ajax-login-page")
.failureUrl("/ajax-failure")
.defaultSuccessUrl("/security/ajax-success", true)
.and()
.logout()
.invalidateHttpSession(true)
.deleteCookies("hdfyer")
.logoutRequestMatcher(new AntPathRequestMatcher("/app/logout"));
}
}
@Configuration
public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/resources/**")
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/account").access("hasRole('ROLE_USER')")
.and()
.formLogin()
.loginPage("/login")
.failureUrl("/login?error")
.loginProcessingUrl("/j_spring_security_check")
.usernameParameter("username")
.passwordParameter("password")
.successHandler(new AuthenticationSuccessCallback())
.and()
.logout()
.invalidateHttpSession(true)
.deleteCookies("jforumUserInfo")
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"));
}
@Bean(name = "myAuthenticationManager")
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
}
}
我尝试添加requiresChannel或portMapper但没有成功(虽然有时会出现太多重定向错误但它有时失败了。)。
我也失败了,看看这些配置有什么问题。 如何让spring security在https而不是http?
上重定向ajax登录成功答案 0 :(得分:0)
解决方案非常简单:
将以下代码行添加到您的配置方法
@Override
protected void configure(HttpSecurity http) throws Exception {
http.requiresChannel().antMatchers("/login**,/user**").requiresSecure();
}
注意:/ login **,/ logout **应作为apache2配置中代理传递的一部分提及 添加到antMatcher - 无论哪个请求从https重定向到http。
apache2配置中还有一件事需要添加
RequestHeader set X-Forwarded-Proto https
和 在你的spring-boot application.properties中(如果你有的话) 添加以下属性
<强>
server.tomcat.remote_ip_header = X-转发换
server.tomcat.protocol_header = X-转发-原