您的位置: 首页  >  技术问答  >  在反向代理后面需要使用Spring Security的https

在反向代理后面需要使用Spring Security的https

分类: 技术问答 2022-05-19 09:41:02
问题描述:

我有一个使用Spring Security保护的Spring MVC应用程序。大多数应用程序使用简单的http来节省资源,但是一小部分处理更多机密信息并需要https频道。

I have a Spring MVC application secured with Spring Security. The majority of the application uses simple http to save resources, but a small part processes more confidential information and requires an https channel.

中提取security-config.xml 

<sec:http authentication-manager-ref="authenticationManager" ... >
    ...
    <sec:intercept-url pattern="/sec/**" requires-channel="https"/>
    <sec:intercept-url pattern="/**" requires-channel="http"/>
</sec:http>

所有工作正常,直到我们决定将其迁移到主服务器,其中应用程序服务器运行在反向服务器上代理。现在,HTTPS由反向代理处理,应用程序服务器只能看到HTTP请求,并且不允许访问 / sec / ** 层次结构。

All worked fine until we decided to migrate it to the main server, where the application servers run behind reverse proxies. And as now HTTPS is processed by the reverse proxies the application server only sees HTTP requests, and disallows access to the /sec/** hierarchy.

经过一些研究,我发现代理添加了一个 X-Forwarded-Proto:https header (*) ,但在Spring Security中 HttpServletRequest.isSecure()用于确定提供的通道安全性(从 SecureChannelProcessor中提取 javadoc)

After some research, I found that the proxies add a X-Forwarded-Proto: https header (*), but in Spring Security HttpServletRequest.isSecure() is used to determine the channel security offered (extract from SecureChannelProcessor javadoc)

如何告诉Spring Security X-Forwarded-Proto:https 标题对于安全请求是否足够?

How can I tell Spring Security that a X-Forwarded-Proto: https header is enough for a secure request ?

我知道我可以在代理配置上报告该部分,但代理管理员确实不喜欢该解决方案,因为有很多应用程序在代理之后,配置可能会增长到一个不可管理的状态。

I know I could report that part on proxies configuration, but the proxies administrator really does not like that solution, because there are many application behind the proxies and the configuration could grow to a non manageable state.

我目前正在使用带有XML配置的Spring Security 3.2,但我已准备好接受基于的答案Java配置和/或更新版本。

I an currently using Spring Security 3.2 with XML config, but I'm ready to accept answers based on Java config and/or more recent version.

(*)当然,如果传入请求中存在代理,则代理会删除标头,因此应用程序可以对其充满信心。 / p>

(*) of course, the proxies remove the header if it was present in incoming request, so the application can be confident in it.

如果您的站点是HTTPS并且您正在另一个处理TLS终止的系统后面运行Apache Tomcat,您可以告诉Tomcat假装它正在处理TLS终止。

If your site is HTTPS and you're running Apache Tomcat behind another system that's handling TLS termination, you can tell Tomcat to "pretend" that it's handling the TLS termination.

这使得 request.isSecure()返回 true ;

为此,您需要添加 secure =true server.xml中的连接器配置

https://tomcat.apache.org/tomcat-7.0-doc/config/http.html

另请参阅计划属性。

相关推荐