Converting http to https using Spring Security

**balakrishna mansani** · Jun 6th, 2010, 04:41 AM

Hi,

Can someone help me please by telling what all i need to configure in my application, so that my application switches to https, whenever a URL is accessed via http.

I am using Spring MVC and i want to use Spring security with it for achieving the above said.

My requirement is simple. I dont want any kind of authentication. FOr all the users who have accessed the application URL as http, it should
change to https.

Thanks,
Bala

**Luke Taylor** · Jun 6th, 2010, 04:59 AM

Why not just use the standard web.xml constraints?

**balakrishna mansani** · Jun 6th, 2010, 06:12 AM

Thanks Luke!!! That was really helpful.

Adiing the Security constraint resolved my problem.

<security-constraint>


<web-resource-collection>
<web-resource-name>Example name</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>


<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

**weissed** · Jun 6th, 2010, 06:24 AM

Originally Posted by Luke Taylor

Why not just use the standard web.xml constraints?

In my experience, unfortunately it doesn't really work with Websphere.

**balakrishna mansani** · Jun 6th, 2010, 03:06 PM

Hi,

Im using it with Weblogic 9.2 server.

When i directly use the configurations with the app server, the redirection works fine, but there is a problem when im accessing the application using a Web server on top of the application server.

It works fine for me, if i used https, but when using http, it gives me a forbidden error 403.

Any thoughts about this issue?

To make it simpler, its works fine for me with https and gives a forbidden 403 error when using http.

- Bala

**weissed** · Jun 6th, 2010, 03:37 PM

You can also try setting the requires-channel property in your spring security.

Code:

<intercept-url pattern="/secure/**" access="ROLE_USER" requires-channel="https"/>
<port-mappings>
  <port-mapping http="9080" https="9443"/>
</port-mappings>

**balakrishna mansani** · Jun 6th, 2010, 05:15 PM

Hi,

We have tried with this configuration, but was getting some other errors while deploying.

Resolved the deployment errors and kept the access="IS_AUTHENTICATED_ANONYMOUSLY", but was getting 403 Forbidden error.

Can you please tell what other configurations need to be added, along with the ones you have mentioned?

If you can point us or give us a working example of this, that will be really greatful.

**nishashirawala** · Jun 8th, 2010, 01:20 AM

Hi,

In my application, all http urls are redirected to https.

If you want to do so try following

<entry key="8080"><value>443</value></entry>

let me know if it is working or not

Thanks,
Nisha

**balakrishna mansani** · Jun 8th, 2010, 11:28 AM

Hi Nisha,

Thanks for the reply.

Can you give me complete configurations that needs to be done?

When we use http tag, it fails asking for configuring remember me and entry point.

I didnt quite understand why these are required for the requirement i have?

**Luke Taylor** · Jun 8th, 2010, 12:58 PM

If you don't need security, other than HTTPS, then use web.xml. There's no point in adding a Spring Security configuration just for this.

Thread: Converting http to https using Spring Security

Thread Tools

Display

Converting http to https using Spring Security

Posting Permissions