Skip to content

Instantly share code, notes, and snippets.

@joshuacalloway

joshuacalloway/SecureRequestCache

Created February 27, 2015 00:08
Show Gist options
  • Save joshuacalloway/ec3d5778f978059f5db9 to your computer and use it in GitHub Desktop.
Save joshuacalloway/ec3d5778f978059f5db9 to your computer and use it in GitHub Desktop.
Download ZIP
HowTo force Spring Security to make https redirect requests when behind a load balancer
Raw
resources.groovy
// file: grails-app/conf/spring/resources.groovy
beans = {
requestCache(SecureRequestCache) {
forceHttps = securityConfig.auth.forceHttps
}
Raw
SecureRequestCache
package com.retel.security;
import org.springframework.security.web.PortResolver;
import org.springframework.security.web.PortResolverImpl;
import org.springframework.security.web.WebAttributes;
import org.springframework.security.web.savedrequest.DefaultSavedRequest;
import org.springframework.security.web.util.UrlUtils;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
/**
* Created by jc on 2/26/15.
*/
public class SecureRequestCache extends org.springframework.security.web.savedrequest.HttpSessionRequestCache {
public boolean isForceHttps() {
return forceHttps;
}
public void setForceHttps(boolean forceHttps) {
this.forceHttps = forceHttps;
}
public PortResolver getPortResolver() {
return portResolver;
}
@Override
public void setPortResolver(PortResolver portResolver) {
this.portResolver = portResolver;
}
private boolean forceHttps = true;
private PortResolver portResolver = new PortResolverImpl();
class AlwaysHttpsDefaultSavedRequest extends DefaultSavedRequest {
public AlwaysHttpsDefaultSavedRequest(HttpServletRequest request, PortResolver portResolver) {
super(request, portResolver);
}
@Override
public String getScheme() {
logger.debug("overriding scheme of " + super.getScheme() + " to https");
return "https";
}
@Override
public int getServerPort() {
return 443;
}
@Override
public String getRedirectUrl() {
return UrlUtils.buildFullRequestUrl(getScheme(), getServerName(), getServerPort(), getRequestURI(), getQueryString());
}
};
@Override
public void saveRequest(HttpServletRequest request, HttpServletResponse response) {
logger.debug("forceHttps is set to " + forceHttps);
if (!forceHttps) {
super.saveRequest(request, response);
} else {
DefaultSavedRequest savedRequest = new AlwaysHttpsDefaultSavedRequest(request, portResolver);
request.getSession().setAttribute(WebAttributes.SAVED_REQUEST, savedRequest);
}
}
}
@joshuacalloway
Copy link
Author

of course set this to true

grails.plugins.springsecurity.auth.forceHttps = true

@joshuacalloway
Copy link
Author

the original stackoverflow question
http://stackoverflow.com/questions/28747031/how-to-force-spring-security-to-make-https-redirect-requests-when-behind-a-load

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment