HTTP Channel for localhost and HTTPS for everything else. How to do?

[Miller635]

Hi everyone,

I wanted to know if there is an easy way to set up spring security to use https for all connections besides localhost. The reason is, that a nodeJS instance is connecting to my REST WebApp. Therefore there is no need to commuicate over https I think.

This is my <http> tag within my Spring security context:

HTML Code:

<http create-session="stateless" use-expressions="true"
	authentication-manager-ref="ZportlyAuthenticationManager" entry-point-ref="digestEntryPoint">
	<http-basic />
	<intercept-url pattern="/auth/*" access="isAnonymous()" requires-channel="https" />
	<intercept-url pattern="/error/*" access="isAnonymous()" requires-channel="https" />
	<intercept-url pattern="/**" access="isAuthenticated()" requires-channel="https" method="GET" />
	<logout logout-url="/auth/logout" logout-success-url="/auth/logout/success" />
	<custom-filter ref="allowCrossDomainRequestFilter" position="LAST" />
	<custom-filter ref="digestFilter" after="BASIC_AUTH_FILTER" />
	<!-- <port-mappings> <port-mapping http="8080" https="8443" /> </port-mappings> -->
</http>

[manish.in.java]

We manage such things in the build process using Maven profiles. In Maven pom.xml, create profiles for each of the environments; for example:

Code:

    <project>
        ...
        <profiles>
            <profile>
                <id>dev</id>
                <properties>
                    <spring.security.http.channel>http</spring.security.http.channel>
                </properties>
            </profile>
            <profile>
                <id>test</id>
                <properties>
                    <spring.security.http.channel>https</spring.security.http.channel>
                </properties>
            </profile>
            <profile>
                <id>staging</id>
                <properties>
                    <spring.security.http.channel>https</spring.security.http.channel>
                </properties>
            </profile>
            <profile>
                <id>prod</id>
                <properties>
                    <spring.security.http.channel>https</spring.security.http.channel>
                </properties>
            </profile>
        </profiles>
        ...
    </project>

Then, use Maven resource filtering to set the channel appropriately during the build.

Code:

<http create-session="stateless" use-expressions="true"
    authentication-manager-ref="ZportlyAuthenticationManager" entry-point-ref="digestEntryPoint">
    <http-basic />
    <intercept-url pattern="/auth/*" access="isAnonymous()" requires-channel="${spring.security.http.channel}" />
    <intercept-url pattern="/error/*" access="isAnonymous()" requires-channel="${spring.security.http.channel}" />
    <intercept-url pattern="/**" access="isAuthenticated()" requires-channel="${spring.security.http.channel}" method="GET" />
    <logout logout-url="/auth/logout" logout-success-url="/auth/logout/success" />
    <custom-filter ref="allowCrossDomainRequestFilter" position="LAST" />
    <custom-filter ref="digestFilter" after="BASIC_AUTH_FILTER" />
    <!-- <port-mappings> <port-mapping http="8080" https="8443" /> </port-mappings> -->
</http>

If you are using Ant for building the code, a similar strategy can be adopted with Ant token replacement.

[Miller635]

Hi Manish,

thank you for your reply. Your idea makes sense if I had to distinguish between different profiles like your example, but I need an http and an https channel at the same time for the URLs. Something like this:

HTML Code:

<intercept-url pattern="/auth/*" access="isAnonymous()" requires-channel="http" />
<intercept-url pattern="/error/*" access="isAnonymous()" requires-channel="http" host="localhost" />
<intercept-url pattern="/error/*" access="isAnonymous()" requires-channel="https" host="all other incoming connections" />

I googled a lot and did not find a solution so far.