Nov 4th, 2011, 06:12 PM
Requiring HTTPS for login
I'm using spring security in an open source project (http://pebble.sf.net). In pebble, you would rarely want to have an instance served entirely under HTTPS, because it's a blog, most people viewing it won't be authenticated. But when you authenticate, you want to use HTTPS. Spring makes it farely simple to require HTTPS for certain URLs, but the problem is, this requires editing config files. Pebble has many different URLs that could potentially be protected, including the whole instance, and what we really don't want to do is force users to have to make big edits to the spring security config files in order to support this.
So, there is a simple solution, that is to do the HTTPS redirection in Apache - whenever a user visits the login page they are upgraded to HTTPS. This would work, except for spring securitys saved request success handler. When it redirects you to the login page, it stores the original URL, including scheme, host and port number, which would be HTTP, and then on successful authentication redirects you back to HTTP. So, you get HTTPS for login, but then you are redirected to HTTP by spring security, which makes https for login almost pointless because an eavesdropper can see your cookie and has complete control over your account.
So what I'm wondering is if we could make the saving of the scheme (and probably host and port) optional via a configuration parameter, so that cases where you want Apache to do HTTPS upgrade for the login page will work?