aspose file tools*
The moose likes Spring and the fly likes force https in spring security 3 Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Java 8 in Action this week in the Java 8 forum!
JavaRanch » Java Forums » Frameworks » Spring
Bookmark "force https in spring security 3" Watch "force https in spring security 3" New topic
Author

force https in spring security 3

Jessie Hui
Greenhorn

Joined: Mar 22, 2012
Posts: 1
Dear all,

I just want to force the login page to HTTPS, however, after setting the following config and restart server(no error message), it cannot force HTTPS for the login page, please help, million thanks.

<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">

<security:global-method-security
pre-post-annotations="enabled">
<!-- AspectJ pointcut expression that locates our "post" method and applies
security that way <protect-pointcut expression="execution(* bigbank.*Service.post*(..))"
access="ROLE_TELLER"/> -->
</security:global-method-security>

<bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy">
<security:filter-chain-map path-type="ant">
<security:filter-chain filters="none" pattern="/images/*" />
<security:filter-chain filters="none" pattern="/css/*" />
<security:filter-chain filters="none"
pattern="/doclst/Login.do" />
<security:filter-chain filters="none"
pattern="/doctorlist/index.jsp" />
<security:filter-chain pattern="/doclst/**"
filters="httpSessionContextIntegrationFilter,
docLstAuthenticationProcessingFilter, docLstLogoutFilter,
docLstExceptionTranslationFilter, docLstFilterSecurityInterceptor, channelProcessingFilter" />
</security:filter-chain-map>
</bean>

<bean id="httpSessionContextIntegrationFilter"
class="org.springframework.security.web.context.SecurityContextPersistenceFilter">

</bean>

<bean id="docLstAuthenticationProcessingFilter"
class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<property name="allowSessionCreation" value="true" />
<property name="sessionAuthenticationStrategy" ref="sessionFixationProtectionStrategy" />
<property name="authenticationManager" ref="docLstAuthenticationManager" />
<property name="authenticationFailureHandler">
<bean
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<property name="defaultFailureUrl" value="/doclst/Login.do?authfailed=true" />
</bean>
</property>
<property name="authenticationSuccessHandler">
<bean
class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<property name="defaultTargetUrl" value="/doclst/Home.do" /> <!-- which is the default value -->
<property name="alwaysUseDefaultTargetUrl">
<value>true</value>
</property>
</bean>
</property>
<property name="filterProcessesUrl" value="/doclst/j_spring_security_check" />
</bean>


<bean id="docLstLogoutFilter"
class="org.springframework.security.web.authentication.logout.LogoutFilter">
<constructor-arg value="/doclst/Login.do" />
<constructor-arg>
<list>
<bean
class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
</list>
</constructor-arg>
<property name="filterProcessesUrl" value="/doclst/j_spring_security_logout" />
</bean>

<bean id="docLstExceptionTranslationFilter"
class="org.springframework.security.web.access.ExceptionTranslationFilter">
<property name="authenticationEntryPoint">
<bean
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<property name="loginFormUrl" value="/doclst/Login.do" />
</bean>
</property>
</bean>

<bean id="docLstFilterSecurityInterceptor"
class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<property name="accessDecisionManager" ref="httpRequestAccessDecisionManager" />
<property name="authenticationManager" ref="docLstAuthenticationManager" />
<property name="securityMetadataSource">
<security:filter-security-metadata-source>
<security:intercept-url pattern="/doclst/**"
access="ROLE_USER" />
</security:filter-security-metadata-source>
</property>
</bean>

<bean id="docLstAuthenticationManager"
class="org.springframework.security.authentication.ProviderManager">
<property name="providers">
<list>
<ref local="docLstDAOAuthenticationProvider" />
</list>
</property>
</bean>

<bean id="docLstDAOAuthenticationProvider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="passwordEncoder" ref="passwordEncoder" />
<property name="userDetailsService" ref="docLstDaoImpl" />
</bean>

<bean id="docLstDaoImpl"
class="org.springframework.security.core.userdetails.memory.InMemoryDaoImpl">
<property name="userMap">
<value>
xxxxxxxxxxxx,ROLE_USER
</value>
</property>
</bean>

<bean id="passwordEncoder"
class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" />

<bean id="sessionFixationProtectionStrategy"
class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy">
<property name="migrateSessionAttributes" value="true" />
</bean>

<bean id="httpRequestAccessDecisionManager"
class="org.springframework.security.access.vote.AffirmativeBased">
<property name="allowIfAllAbstainDecisions" value="false" />
<property name="decisionVoters">
<list>
<bean class="org.springframework.security.access.vote.RoleVoter" />
<bean
class="org.springframework.security.web.access.expression.WebExpressionVoter" />
</list>
</property>
</bean>

<bean id="channelProcessingFilter"
class="org.springframework.security.web.access.channel.ChannelProcessingFilter">
<property name="channelDecisionManager" ref="channelDecisionManager" />
<property name="securityMetadataSource">


<security:filter-security-metadata-source
path-type="ant">
<!--You can configure further rules here about which pages should use
SSL. -->
<security:intercept-url pattern="/doclst/Login.do"
access="REQUIRES_SECURE_CHANNEL" />
</security:filter-security-metadata-source>
</property>
</bean>


<bean id="channelDecisionManager"
class="org.springframework.security.web.access.channel.ChannelDecisionManagerImpl">
<property name="channelProcessors">
<list>
<ref bean="secureChannelProcessor" />
<ref bean="insecureChannelProcessor" />
</list>
</property>
</bean>

<bean id="secureChannelProcessor"
class="org.springframework.security.web.access.channel.SecureChannelProcessor" />
<bean id="insecureChannelProcessor"
class="org.springframework.security.web.access.channel.InsecureChannelProcessor" />

</beans>
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: force https in spring security 3
 
Similar Threads
Migrating from spring security 2.x to spring security 3.x
"Spring Security Application" Initiated by Apache
How to bypass spring secuirty setup for Javascript files and Struts2 ajax (DOJO) files?
spring security form based login using database not responding
Spring security multiple login pages